Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description#

User input is being included directly in an HTML response without proper sanitization or escaping. This allows attackers to inject malicious scripts into the returned HTML, creating a cross-site scripting (XSS) vulnerability.

Impact#

If exploited, attackers could execute arbitrary JavaScript in users’ browsers, potentially stealing session cookies, user credentials, or sensitive data. This can lead to account compromise, data theft, and loss of user trust in the application.