目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-83 Web页面属性中脚本转义处理不恰当 类漏洞列表 12

CWE-83 Web页面属性中脚本转义处理不恰当 类弱点 12 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-83属于脚本注入类漏洞,指Web页面在处理HTML标签属性时,未能正确过滤或转义包含“javascript:”等危险URI的输入。攻击者通常利用此缺陷,在事件处理器(如onmouseover、onload)或style属性中注入恶意脚本,从而在用户浏览器中执行任意代码。开发者应严格实施输入验证,对特殊字符进行HTML实体编码,并采用内容安全策略(CSP)等纵深防御措施,确保属性值仅包含预期内容,杜绝脚本执行风险。

MITRE CWE 官方描述
CWE:CWE-83 Web 页面中属性内脚本的不当中和 英文:产品未对标签(如 onmouseover、onload、onerror 或 style)内危险属性中的 "javascript:" 或其他 URI 进行中和,或中和不正确。
常见影响 (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
缓解措施 (4)
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS v…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
CVE ID标题CVSS风险等级Published
CVE-2026-23516 CVAT.ai CVAT 安全漏洞 — cvat 6.5AIMediumAI2026-01-21
CVE-2026-22849 saleor 安全漏洞 — saleor 5.4AIMediumAI2026-01-21
CVE-2025-4615 Palo Alto Networks PAN-OS 安全漏洞 — Cloud NGFW 7.2AIHighAI2025-10-09
CVE-2025-0137 Palo Alto Networks PAN-OS 安全漏洞 — Cloud NGFW 7.2AIHighAI2025-05-14
CVE-2025-0125 Palo Alto Networks PAN-OS 安全漏洞 — Cloud NGFW 7.2AIHighAI2025-04-11
CVE-2024-9103 Forcepoint Email Security 安全漏洞 — Email Security 6.1 Medium2025-03-24
CVE-2025-27145 Copyparty 安全漏洞 — copyparty 3.6 Low2025-02-25
CVE-2023-37908 XWiki Rendering 跨站脚本漏洞 — xwiki-rendering 9.1 Critical2023-10-25
CVE-2023-30958 Foundry Frontend 跨站脚本漏洞 — com.palantir.foundry:foundry-frontend 4.7 Medium2023-08-03
CVE-2023-32070 XWiki Platform 跨站脚本漏洞 — xwiki-rendering 9.1 Critical2023-05-10
CVE-2022-39262 GLPI 跨站脚本漏洞 — glpi 5.2 Medium2022-11-03
CVE-2020-14525 Philips Clinical Collaboration Platform 输入验证错误漏洞 — Clinical Collaboration Platform 3.5 Low2020-09-18

CWE-83(Web页面属性中脚本转义处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 12 条 CVE 漏洞。