Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| OWASP | A07:2017 - Cross-Site Scripting (XSS) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User input is being written directly to an OutputStream or Writer in a servlet response, bypassing view technologies that normally escape HTML. This can allow attackers to inject malicious scripts into web pages.
Impact#
If exploited, attackers can perform cross-site scripting (XSS) attacks, leading to theft of user data, session hijacking, or defacement of your site. This exposes both users and the organization to significant security and reputational risks.