Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) — Vulnerability Class 403

403 vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)). AI Chinese analysis included.

CWE-80 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before rendering it in web pages. This flaw allows attackers to inject malicious scripts, typically JavaScript, into the HTML content viewed by other users. Exploitation usually occurs when an attacker crafts a malicious URL or form input containing script tags, which the vulnerable application then executes in the victim’s browser without proper filtering. This can lead to severe consequences such as session hijacking, credential theft, or defacement. To mitigate this risk, developers must implement robust output encoding strategies, ensuring that all special characters like angle brackets and ampersands are converted into their safe HTML entity equivalents. Additionally, employing Content Security Policy headers and utilizing modern frameworks with built-in escaping mechanisms further reduces the attack surface by preventing the execution of unauthorized scripts.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
Examples (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2025-62414 bagisto - Cross Site Scripting (XSS) in Create New Customer — bagisto 6.9 Medium2025-10-16
CVE-2025-11160 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via Custom JS Module — WPBakery Page Builder 6.4 Medium2025-10-15
CVE-2025-11161 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode — WPBakery Page Builder 6.4 Medium2025-10-15
CVE-2025-62172 Home Assistant vulnerable to Stored XSS in Energy dashboard from Energy Entity Name — core 5.4AIMediumAI2025-10-14
CVE-2025-31992 HCL MaxAI Assistant is susceptible to a HTML injection vulnerability — MaxAI Assistant 4.6 Medium2025-10-12
CVE-2025-10496 Cookie Notice & Consent <= 1.6.5 - Unauthenticated Stored Cross-Site Scripting — Cookie Notice & Consent 7.2 High2025-10-09
CVE-2025-52654 HCL MyXalytics is affected by an HTML Injection — HCL MyXalytics 4.6 Medium2025-10-03
CVE-2025-11241 Yoast SEO Premium 25.7-25.9 - Authenticated (Contributor+) Stored Cross-Site Scripting — Yoast SEO Premium 6.4 Medium2025-10-03
CVE-2025-58054 Discourse is vulnerable to XSS when quoting chat messages — discourse 3.5 Low2025-10-01
CVE-2025-10128 Eulerpool Research Systems <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting — Eulerpool Research Systems 6.4 Medium2025-09-30
CVE-2025-60100 WordPress XStore theme < 9.6 - Content Injection vulnerability — XStore 5.3 Medium2025-09-26
CVE-2025-59573 WordPress Cozy Blocks Plugin <= 2.1.29 - Content Injection Vulnerability — Cozy Blocks 5.3 Medium2025-09-22
CVE-2025-57928 WordPress AWP Classifieds plugin <= 4.4.3 - Content Injection vulnerability — AWP Classifieds 5.3 Medium2025-09-22
CVE-2025-10125 Memberlite Shortcodes <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting — Memberlite Shortcodes 6.4 Medium2025-09-17
CVE-2025-58430 listmonk Vulnerable to CSRF to XSS Chain That Can Lead to Admin Account Takeover — listmonk 9.1AICriticalAI2025-09-09
CVE-2025-20342 Cisco Integrated Management Controller Virtual Keyboard Video Monitor (vKVM) Stored Cross-Site Scripting Vulnerability — Cisco Unified Computing System (Managed) 5.4 Medium2025-08-27
CVE-2025-6247 WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.118.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting — WordPress Automatic Plugin 4.7 Medium2025-08-26
CVE-2025-57730 JetBrains IntelliJ IDEA 安全漏洞 — IntelliJ IDEA 5.2 Medium2025-08-20
CVE-2025-55291 Shaarli allows reflected XSS via searchtags parameter — Shaarli 7.1 High2025-08-18
CVE-2025-54117 NamelessMC allows Stored Cross-Site Scripting (XSS) in dashboard text editor — Nameless 9.1 Critical2025-08-18
CVE-2025-55672 Apache Superset: Stored XSS on charts metadata — Apache Superset 5.4AIMediumAI2025-08-14
CVE-2025-54698 WordPress Classified Listing Plugin plugin <= 5.0.0 - Content Injection Vulnerability — Classified Listing 5.4 Medium2025-08-14
CVE-2025-8621 Mosaic Generator <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'c' Parameter — Mosaic Generator 6.4 Medium2025-08-12
CVE-2025-20331 Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabiliy — Cisco Identity Services Engine Software 5.4 Medium2025-08-06
CVE-2025-54789 Files is Vulnerable to Reflected Self-XSS through its File Move Functionality — cfiles 5.4 -2025-08-01
CVE-2025-52897 GLPI is vulnerable to XSS and open redirection attacks through planning feature — glpi 6.5 Medium2025-07-30
CVE-2025-27514 GLPI is susceptible to Stored XSS attack through project's kanban — glpi 4.5 Medium2025-07-29
CVE-2024-49343 IBM Informix Dynamic Server HTML injection — Informix Dynamic Server 5.4 Medium2025-07-28
CVE-2025-54414 Anubis accepts crafted redirect URLs in pass-challenge 'Try Again' buttons — anubis 7.1 -2025-07-26
CVE-2025-31326 HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) — SAP BusinessObjects Business Intelligence Platform (Web Intelligence) 4.1 Medium2025-07-08

Vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) represent 403 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.