Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-81 (错误消息Web页面中脚本转义处理不恰当) — Vulnerability Class 6

6 vulnerabilities classified as CWE-81 (错误消息Web页面中脚本转义处理不恰当). AI Chinese analysis included.

CWE-81 represents a critical input validation weakness where applications fail to properly sanitize special characters within error messages before rendering them in a web page. This vulnerability typically manifests when user-supplied data triggers an application error, causing the system to display a customized response, such as a 404 Not Found or 403 Forbidden page, that inadvertently includes the malicious input. Attackers exploit this flaw by injecting script syntax into the input fields, which the server then reflects directly into the error response without adequate neutralization. Consequently, when a victim views the error page, the embedded script executes in their browser, leading to cross-site scripting attacks that can compromise session tokens or redirect users to phishing sites. Developers mitigate this risk by implementing strict output encoding for all dynamic content within error pages, ensuring that any user-controlled data is treated as plain text rather than executable code, thereby preventing the browser from interpreting the input as active scripting elements.

MITRE CWE Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page. Error pages may include customized 403 Forbidden or 404 Not Found pages. When an attacker can trigger an error that contains script syntax within the attacker's input, then cross-site scripting attacks may be possible.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
Mitigations (5)
ImplementationDo not write user-controlled input to error pages.
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities i…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
CVE IDTitleCVSSSeverityPublished
CVE-2025-24344 Bosch Rexroth ctrlX OS 安全漏洞 — ctrlX OS - Solutions 6.3 Medium2025-04-30
CVE-2025-0883 vulnerability has been discovered in OpenText™ Service Manager. — Service Manager 4.3 -2025-03-12
CVE-2024-6892 Journyx Reflected Cross Site Scripting — Journyx (jtime) 6.1AIMediumAI2024-08-07
CVE-2022-4137 Keycloak: reflected xss attack — Red Hat Single Sign-On 7 8.1 High2023-09-25
CVE-2022-4361 Red Hat Keycloak 跨站脚本漏洞 — keycloak 10.0 Critical2023-07-07
CVE-2019-25027 Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13 — Vaadin 6.1 Medium2021-04-23

Vulnerabilities classified as CWE-81 (错误消息Web页面中脚本转义处理不恰当) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.