Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language	java
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description#

User input is being directly inserted into manually constructed HTML strings before being sent in a response. This bypasses built-in HTML escaping and can allow malicious input to be rendered as executable code in a user’s browser.

Impact#

If exploited, attackers can inject scripts (Cross-Site Scripting/XSS), leading to theft of user data, session hijacking, or manipulation of the application’s content. This can compromise user trust and expose sensitive information.