Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) — Vulnerability Class 403

403 vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)). AI Chinese analysis included.

CWE-80 represents a critical input validation weakness where applications fail to properly sanitize user-supplied data before rendering it in web pages. This flaw allows attackers to inject malicious scripts, typically JavaScript, into the HTML content viewed by other users. Exploitation usually occurs when an attacker crafts a malicious URL or form input containing script tags, which the vulnerable application then executes in the victim’s browser without proper filtering. This can lead to severe consequences such as session hijacking, credential theft, or defacement. To mitigate this risk, developers must implement robust output encoding strategies, ensuring that all special characters like angle brackets and ampersands are converted into their safe HTML entity equivalents. Additionally, employing Content Security Policy headers and utilizing modern frameworks with built-in escaping mechanisms further reduces the attack surface by preventing the execution of unauthorized scripts.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
An attacker could insert special characters that are processed client-side in the context of the user's session.
Mitigations (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
Examples (1)
In the following example, a guestbook comment isn't properly encoded, filtered, or otherwise neutralized for script-related tags before being displayed in a client browser.
<% for (Iterator i = guestbook.iterator(); i.hasNext(); ) { Entry e = (Entry) i.next(); %> <p>Entry #<%= e.getId() %></p> <p><%= e.getText() %></p> <% } %>
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2024-49337 IBM OpenPages HTML injection — OpenPages with Watson 5.4 Medium2025-02-20
CVE-2024-13704 Super Testimonials <= 4.0.1 - Unauthenticated Stored Cross-Site Scripting — Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress 7.2 High2025-02-18
CVE-2024-46910 Apache Atlas: An authenticated user can perform XSS and potentially impersonate another user — Apache Atlas 5.4 -2025-02-13
CVE-2025-22402 Dell Update Manager Plugin 安全漏洞 — Update Manager Plugin 2.6 Low2025-02-07
CVE-2024-38318 IBM Aspera Shares HTML injection — Aspera Shares 4.8 Medium2025-02-05
CVE-2024-11954 Pimcore Search Document cross site scripting — Pimcore 2.4 Low2025-01-28
CVE-2025-24680 WordPress WP Multi Store Locator Plugin <= 2.4.7 - Cross Site Scripting (XSS) vulnerability — WP Multistore Locator 7.1 High2025-01-27
CVE-2024-35112 IBM Control Center cross-site scripting — Control Center 5.4 Medium2025-01-25
CVE-2025-24678 WordPress Listamester Plugin <= 2.3.4 - Cross Site Scripting (XSS) vulnerability — Listamester 6.5 Medium2025-01-24
CVE-2025-24673 WordPress Ketchup Shortcodes Plugin <= 0.1.2 - Cross Site Scripting (XSS) vulnerability — Ketchup Shortcodes 6.5 Medium2025-01-24
CVE-2025-23919 WordPress Slides & Presentations Plugin <= 0.0.39 - Content Injection vulnerability — Slides & Presentations 5.4 Medium2025-01-16
CVE-2024-39363 WAVLINK AC3000 安全漏洞 — Wavlink AC3000 9.6 Critical2025-01-14
CVE-2024-52967 Fortinet FortiPortal 安全漏洞 — FortiPortal 3.3 Low2025-01-14
CVE-2024-51472 IBM DevOps Deploy / IBM UrbanCode Deploy HTML injection — DevOps Deploy 3.1 Low2025-01-06
CVE-2024-41752 IBM Cognos Analytics HTML injection — Cognos Analytics 5.4 Medium2024-12-18
CVE-2024-12127 Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS <= 0.0.21 - Reflected Cross-Site Scripting via page Parameter — Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS 6.1 Medium2024-12-17
CVE-2024-54223 WordPress ARForms plugin <= 1.7.1 - HTML Injection vulnerability — ARForms Form Builder 5.3 Medium2024-12-09
CVE-2023-47869 WordPress wpForo plugin <= 2.2.5 - Broken Access Control + CSRF vulnerability — wpForo Forum 4.3 Medium2024-12-09
CVE-2024-54128 Directus has an HTML Injection in Comment — directus 5.7 Medium2024-12-05
CVE-2024-54001 Kanboard allows a persistent HTML injection site scripting in settings page date format — kanboard 5.5 Medium2024-12-05
CVE-2024-42195 HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection — DevOps Deploy / Launch 3.1 Low2024-12-05
CVE-2020-26067 Cisco Webex Teams Web Interface Cross-Site Scripting Vulnerability — Cisco Webex Teams 5.4 Medium2024-11-18
CVE-2024-10592 Mapster WP Maps <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting — Mapster WP Maps 6.4 Medium2024-11-16
CVE-2022-20654 Cisco Webex Meetings Cross-Site Scripting Vulnerability — Cisco Webex Meetings 6.1 Medium2024-11-15
CVE-2024-52300 macro-pdfviewer has a XSS through the width parameter — macro-pdfviewer 9.1 Critical2024-11-13
CVE-2024-10038 WP-Strava <= 2.12.1 - Authenticated (Administrator+) Stored Cross-Site Scripting — WP-Strava 6.1 Medium2024-11-13
CVE-2024-51689 WordPress CF7 WOW Styler plugin <= 1.6.8 - Reflected Cross Site Scripting (XSS) vulnerability — CF7 WOW Styler 7.1 High2024-11-09
CVE-2024-10621 Simple Shortcode for Google Maps <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Simple Shortcode for Google Maps 6.4 Medium2024-11-08
CVE-2024-20504 Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance Stored Cross-Site Scripting Vulnerabilities — Cisco Secure Email 5.4 Medium2024-11-06
CVE-2024-9147 HTML Injection in Bna Informatics' PosPratik — PosPratik 6.1AIMediumAI2024-11-04

Vulnerabilities classified as CWE-80 (Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)) represent 403 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.