目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-80 Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本) 类漏洞列表 402

CWE-80 Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本) 类弱点 402 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-80即基础型跨站脚本攻击,属于输入验证缺陷。攻击者通过注入包含恶意脚本的HTML标签,利用程序未正确转义特殊字符的漏洞,使浏览器执行非预期代码,从而窃取数据或劫持会话。开发者应严格对用户输入进行白名单过滤,并对输出至HTML页面的数据进行实体编码,确保特殊字符被正确转义,从而阻断脚本执行。

MITRE CWE 官方描述
CWE:CWE-80 Web 页面中脚本相关 HTML 标签的不当中和(基本型 XSS) 英文:产品从上游组件接收输入,但未对特殊字符(如 "<"、">" 和 "&")进行中和或进行了不正确的中和,这些字符在发送给处理 Web 页面的下游组件时,可能被解释为 Web 脚本元素。
常见影响 (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
缓解措施 (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
代码示例 (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE ID标题CVSS风险等级Published
CVE-2026-42030 MapServer OpenLayers基础型XSS漏洞 — MapServer 6.1 Medium2026-05-08
CVE-2026-44264 Weblate crafted Markdown 导致的跨站脚本(XSS)漏洞 — weblate 4.3 Medium2026-05-07
CVE-2026-6002 DivvyDrive HTML注入漏洞 — DivvyDrive 8.8 High2026-05-07
CVE-2025-59854 HCL DFXAnalytics 不安全安全头配置漏洞 — DFXAnalytics 3.1 Low2026-05-06
CVE-2026-1564 Pega Platform 安全漏洞 — Pega Infinity 5.5 -2026-04-15
CVE-2026-20170 Cisco Webex Contact Center 安全漏洞 — Cisco Webex Contact Center 6.1 Medium2026-04-15
CVE-2026-40105 XWiki Platform 安全漏洞 — xwiki-platform 8.8 -2026-04-15
CVE-2026-39425 MaxKB 安全漏洞 — MaxKB 5.4 -2026-04-14
CVE-2026-33657 EspoCRM 安全漏洞 — espocrm 4.6 Medium2026-04-13
CVE-2026-34718 Zammad 安全漏洞 — zammad 5.4AIMediumAI2026-04-08
CVE-2026-39712 WordPress plugin tagDiv Composer 安全漏洞 — tagDiv Composer 5.3 Medium2026-04-08
CVE-2026-39628 WordPress plugin DukaMarket 安全漏洞 — DukaMarket 5.3 Medium2026-04-08
CVE-2026-39629 WordPress plugin Uminex 安全漏洞 — Uminex 5.3 Medium2026-04-08
CVE-2026-39626 WordPress plugin Armania 安全漏洞 — Armania 5.3 Medium2026-04-08
CVE-2026-39625 WordPress plugin TechOne 安全漏洞 — TechOne 5.3 Medium2026-04-08
CVE-2026-39837 MediaWiki - Cargo Extension 安全漏洞 — Mediawiki - Cargo Extension 6.1AIMediumAI2026-04-07
CVE-2026-39841 MediaWiki - Cargo Extension 安全漏洞 — Mediawiki - Cargo Extension 6.1AIMediumAI2026-04-07
CVE-2026-39839 MediaWiki - Cargo Extension 安全漏洞 — Mediawiki - Cargo Extension 6.1AIMediumAI2026-04-07
CVE-2026-39344 ChurchCRM 安全漏洞 — CRM 6.1AIMediumAI2026-04-07
CVE-2026-35460 Papra 安全漏洞 — papra 4.3 Medium2026-04-07
CVE-2025-66486 IBM Aspera Shares 安全漏洞 — Aspera Shares 4.8 Medium2026-04-01
CVE-2026-1834 WordPress plugin Ibtana – WordPress Website Builder 安全漏洞 — Ibtana – WordPress Website Builder 6.4 Medium2026-03-31
CVE-2026-2995 GitLab 安全漏洞 — GitLab 7.7 High2026-03-25
CVE-2026-32891 Anchorr 安全漏洞 — Anchorr 9.1 Critical2026-03-20
CVE-2026-32753 FreeScout 安全漏洞 — freescout 6.1 -2026-03-19
CVE-2026-27166 Discourse 安全漏洞 — discourse 4.1 Medium2026-03-19
CVE-2026-32732 Lean 4 VS Code Extension 安全漏洞 — vscode-lean4 6.1AIMediumAI2026-03-13
CVE-2025-59540 Chamilo 安全漏洞 — chamilo-lms 4.8 -2026-03-06
CVE-2026-20070 Cisco Secure Firewall Adaptive Security Appliance和Cisco Secure Firewall Threat Defense 安全漏洞 — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 6.1 Medium2026-03-04
CVE-2025-52564 Chamilo 安全漏洞 — chamilo-lms 6.1AIMediumAI2026-03-02

CWE-80(Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) 是常见的弱点类别,本平台收录该类弱点关联的 402 条 CVE 漏洞。