Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Property
Language
Severity
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP	A07:2017 - Cross-Site Scripting (XSS)
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description#

User input is being inserted directly into HTML strings instead of using safe templating methods. This can allow attackers to inject malicious scripts if the input is not properly sanitized.

Impact#

If exploited, attackers could execute JavaScript in users’ browsers (cross-site scripting), leading to stolen session cookies, user data theft, defacement of the site, or actions performed on behalf of users without their consent.