Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) — Vulnerability Class 403

403 vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)). AI Chinese analysis included.

CWE-80 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before rendering it in web pages. This flaw allows attackers to inject malicious scripts, typically JavaScript, into the HTML content viewed by other users. Exploitation usually occurs when an attacker crafts a malicious URL or form input containing script tags, which the vulnerable application then executes in the victim’s browser without proper filtering. This can lead to severe consequences such as session hijacking, credential theft, or defacement. To mitigate this risk, developers must implement robust output encoding strategies, ensuring that all special characters like angle brackets and ampersands are converted into their safe HTML entity equivalents. Additionally, employing Content Security Policy headers and utilizing modern frameworks with built-in escaping mechanisms further reduces the attack surface by preventing the execution of unauthorized scripts.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
Examples (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2025-27358 WordPress Frontend File Manager plugin <= 23.6 - Content Injection vulnerability — Frontend File Manager 4.6 Medium2025-07-04
CVE-2025-2895 IBM Cloud Pak System HTML injection — Cloud Pak System 5.4 Medium2025-06-30
CVE-2023-38007 IBM Cloud Pak System HTML injection — Cloud Pak System 5.4 Medium2025-06-27
CVE-2025-4367 Download Manager <= 3.3.18 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode — Download Manager 6.4 Medium2025-06-19
CVE-2025-4278 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab — GitLab 8.7 High2025-06-12
CVE-2025-5686 Paged Gallery <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting — Paged Gallery 6.4 Medium2025-06-06
CVE-2025-23393 Reflected XSS in spacewalk-java — Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1 5.2 Medium2025-05-27
CVE-2025-23392 Reflected XSS in SystemsController.java in spacewalk-java — Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1 5.2 Medium2025-05-26
CVE-2025-33138 IBM Aspera Faspex HTML injection — Aspera Faspex 5.4 Medium2025-05-22
CVE-2025-20267 Cisco Identity Services Stored Cross-Site Scripting Vulnerability — Cisco Identity Services Engine Software 4.8 Medium2025-05-21
CVE-2024-51475 IBM Content Navigator HTML injection — Content Navigator 5.4 Medium2025-05-16
CVE-2025-4126 EG-Series <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — EG-Series 6.4 Medium2025-05-15
CVE-2025-4168 Subpage List <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting — Subpage List 6.4 Medium2025-05-03
CVE-2025-3521 Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting — Team Members Showcase 6.4 Medium2025-05-01
CVE-2025-39524 WordPress Html5 Audio Player plugin <= 2.2.28 - Cross Site Scripting (XSS) Vulnerability — Html5 Audio Player 6.5 Medium2025-04-16
CVE-2025-32230 WordPress Tutor LMS plugin <= 3.4.0 - HTML Injection vulnerability — Tutor LMS 4.3 Medium2025-04-10
CVE-2025-31384 WordPress Videos plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability — Videos 7.1 High2025-04-04
CVE-2025-0272 HCL DevOps Deploy / HCL Launch is susceptible to an HTML injection vulnerability — HCL DevOps Deploy / HCL Launch 5.4 Medium2025-04-03
CVE-2025-30676 Apache OFBiz: Stored XSS Vulnerability — Apache OFBiz 6.1 -2025-04-01
CVE-2025-30210 Bruno XSS On Environment Name — bruno 6.1AIMediumAI2025-04-01
CVE-2025-30161 OpenEMR Stored XSS in OpenEMR Bronchitis Form — openemr 5.4 -2025-03-31
CVE-2025-31604 WordPress Cal.com plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability — Cal.com 6.5 Medium2025-03-31
CVE-2025-31575 WordPress Flag Icons plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability — Flag Icons 5.9 Medium2025-03-31
CVE-2025-22501 WordPress Improve My City plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability — Improve My City 7.1 High2025-03-28
CVE-2025-31075 WordPress MicroPayments plugin <= 2.9.29 - Cross Site Scripting (XSS) vulnerability — MicroPayments 6.5 Medium2025-03-28
CVE-2025-1997 IBM UrbanCode Deploy (UCD) / IBM DevOps Deploy HTML injection — UrbanCode Deploy 5.4 Medium2025-03-27
CVE-2024-13497 WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.9 - Unauthenticated Stored Cross-Site Scripting — WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto 7.2 High2025-03-15
CVE-2025-27099 Tuleap allows XSS via the tracker names used in the semantic timeframe deletion message — tuleap 4.8 Medium2025-03-03
CVE-2025-1807 Eastnets PaymentSafe Edit Manual Reply directRouter.rfc cross site scripting — PaymentSafe 3.5 Low2025-03-02
CVE-2025-22274 HTML injection in CyberArk Endpoint Privilege Manager — Endpoint Privilege Manager 5.4 -2025-02-28

Vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) represent 403 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.