Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) — Vulnerability Class 403

403 vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)). AI Chinese analysis included.

CWE-80 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before rendering it in web pages. This flaw allows attackers to inject malicious scripts, typically JavaScript, into the HTML content viewed by other users. Exploitation usually occurs when an attacker crafts a malicious URL or form input containing script tags, which the vulnerable application then executes in the victim’s browser without proper filtering. This can lead to severe consequences such as session hijacking, credential theft, or defacement. To mitigate this risk, developers must implement robust output encoding strategies, ensuring that all special characters like angle brackets and ampersands are converted into their safe HTML entity equivalents. Additionally, employing Content Security Policy headers and utilizing modern frameworks with built-in escaping mechanisms further reduces the attack surface by preventing the execution of unauthorized scripts.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
Examples (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2022-20916 Cisco IoT Control Center Cross-Site Scripting Vulnerability — Cisco IoT Control Center 6.1 Medium2022-07-21
CVE-2017-20122 Bitrix Site Manager Contact Form cross site scripting — Site Manager 3.5 Low2022-06-30
CVE-2017-20118 TrueConf Server DOM cross site scripting — Server 3.5 Low2022-06-29
CVE-2017-20117 TrueConf Server group DOM cross site scripting — Server 3.5 Low2022-06-29
CVE-2017-20116 TrueConf Server Reflected cross site scripting — Server 3.5 Low2022-06-29
CVE-2017-20115 TrueConf Server Reflected cross site scripting — Server 3.5 Low2022-06-29
CVE-2017-20114 TrueConf Server Reflected cross site scripting — Server 3.5 Low2022-06-29
CVE-2017-20113 TrueConf Server Stored cross site scripting — Server 3.5 Low2022-06-29
CVE-2017-20108 Easy Table Plugin options-general.php cross site scripting — Easy Table Plugin 3.5 Low2022-06-29
CVE-2017-20098 Admin Custom Login Plugin Persistent cross site scripting — Admin Custom Login Plugin 3.5 Low2022-06-27
CVE-2017-20100 Air Transfer cross site scripting — Air Transfer 3.5 Low2022-06-27
CVE-2017-20097 WP-Filebase Download Manager Plugin cross site scriting — WP-Filebase Download Manager Plugin 3.5 Low2022-06-24
CVE-2017-20096 WP-SpamFree Anti-Spam Plugin cross site scriting — WP-SpamFree Anti-Spam Plugin 3.5 Low2022-06-24
CVE-2017-20094 NewStatPress Plugin Persistent cross site scriting — NewStatPress Plugin 3.5 Low2022-06-24
CVE-2017-20092 Google Analytics Dashboard Plugin cross site scriting — Google Analytics Dashboard Plugin 3.5 Low2022-06-24
CVE-2017-20089 Gwolle Guestbook Plugin cross site scriting — Gwolle Guestbook Plugin 3.5 Low2022-06-23
CVE-2017-20087 Alpine PhotoTile for Instagram Plugin cross site scriting — Alpine PhotoTile for Instagram Plugin 3.5 Low2022-06-23
CVE-2017-20085 Atahualpa Theme cross site scriting — Atahualpa Theme 3.5 Low2022-06-23
CVE-2017-20061 Elefant CMS extended Reflected cross site scriting — CMS 4.3 Medium2022-06-20
CVE-2017-20060 Elefant CMS Blog Post Persistent cross site scriting — CMS 3.5 Low2022-06-20
CVE-2017-20059 Elefant CMS Title Persistent cross site scriting — CMS 3.5 Low2022-06-20
CVE-2017-20058 Elefant CMS Version Comparison Persistent cross site scriting — CMS 4.3 Medium2022-06-20
CVE-2017-20057 Elefant CMS Persistent cross site scriting — CMS 4.3 Medium2022-06-20
CVE-2017-20056 weblizar User Login Log Plugin Stored cross site scriting — User Login Log Plugin 3.5 Low2022-06-16
CVE-2017-20055 BestWebSoft Contact Form Plugin Stored cross site scriting — Contact Form Plugin 3.5 Low2022-06-16
CVE-2017-20054 XYZScripts Contact Form Manager Plugin cross site scriting — Contact Form Manager Plugin 3.5 Low2022-06-16
CVE-2017-20044 Navetti PricePoint Reflected cross site scriting — PricePoint 4.3 Medium2022-06-13
CVE-2017-20043 Navetti PricePoint Persistent cross site scriting — PricePoint 4.3 Medium2022-06-13
CVE-2018-25039 Thomson TCW710 RgUrlBlock.asp Persistent cross site scriting — TCW710 3.5 Low2022-06-12
CVE-2018-25038 Thomson TCW710 RgDhcp Persistent cross site scriting — TCW710 3.5 Low2022-06-12

Vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) represent 403 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.