Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language	java
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description#

User input from the HttpServletRequest is being written directly to the HTTP response without proper encoding. This allows attackers to inject malicious scripts into web pages, leading to cross-site scripting (XSS) vulnerabilities.

Impact#

If exploited, an attacker could execute arbitrary JavaScript in users’ browsers, potentially stealing session cookies, defacing the site, or performing actions on behalf of users. This can compromise user data, damage trust, and expose the organization to compliance risks.