目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-82 Web页面IMG标签属性中脚本转义处理不恰当 类漏洞列表 7

CWE-82 Web页面IMG标签属性中脚本转义处理不恰当 类弱点 7 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-82 属于跨站脚本攻击(XSS)的一种,指 Web 应用未正确过滤 IMG 标签属性中的脚本元素。攻击者通过在 src 等属性中注入恶意代码,利用浏览器自动执行特性,在用户加载页面时触发攻击。开发者应严格对用户输入进行验证与转义,确保 IMG 标签属性值仅包含合法内容,从而防止恶意脚本注入与执行。

MITRE CWE 官方描述
CWE:CWE-82 Web 页面中 IMG 标签属性内的脚本未正确中和 英文:Web 应用程序未对 HTML IMG 标签属性(例如 src 属性)中的脚本元素进行中和,或中和方式不正确。 攻击者可以将 XSS 攻击代码嵌入到 IMG 属性(例如 SRC)的值中,这些值被传输到受害者的浏览器后会被执行。请注意,当页面加载到用户的浏览器中时,该攻击代码将自动执行。
常见影响 (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
缓解措施 (2)
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
CVE ID标题CVSS风险等级Published
CVE-2025-53194 WordPress plugin JetEngine 安全漏洞 — JetEngine 8.5 High2025-08-20
CVE-2024-52427 WordPress plugin Event Tickets with Ticket Scanner 安全漏洞 — Event Tickets with Ticket Scanner 9.9 Critical2024-11-18
CVE-2024-52434 WordPress plugin Popup by Supsystic 安全漏洞 — Popup by Supsystic 9.1 Critical2024-11-18
CVE-2024-52393 WordPress plugin Podlove Podcast Publisher 安全漏洞 — Podlove Podcast Publisher 9.1 Critical2024-11-14
CVE-2024-48042 WordPress plugin Contact Form by Supsystic 安全漏洞 — Contact Form by Supsystic 9.1 Critical2024-10-16
CVE-2024-49271 WordPress plugin Unlimited Elements For Elementor 安全漏洞 — Unlimited Elements For Elementor (Free Widgets, Addons, Templates) 9.1 Critical2024-10-16
CVE-2023-30963 Palantir Foundry 跨站脚本漏洞 — com.palantir.foundry:foundry-frontend 5.4 Medium2023-07-10

CWE-82(Web页面IMG标签属性中脚本转义处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 7 条 CVE 漏洞。