Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-84 (Web页面编码URIScheme转义处理不恰当) — Vulnerability Class 10

10 vulnerabilities classified as CWE-84 (Web页面编码URIScheme转义处理不恰当). AI Chinese analysis included.

CWE-84 represents an input validation weakness where web applications fail to properly sanitize user-controlled data containing encoded Uniform Resource Identifier (URI) schemes. Attackers typically exploit this vulnerability by embedding malicious scripts within specially crafted URLs that utilize URI encoding to bypass standard security filters. When the application processes this input without adequate neutralization, the encoded script executes in the victim’s browser, potentially leading to cross-site scripting (XSS) attacks, session hijacking, or unauthorized actions. To prevent such exploits, developers must implement robust input validation strategies that strictly whitelist allowed characters and schemes. Additionally, applying context-specific output encoding ensures that any user-supplied data is safely rendered by the browser. Regular security testing and the use of established libraries for URI parsing further mitigate the risk of executing unintended code through encoded URI schemes.

MITRE CWE Description
The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.
Common Consequences (1)
IntegrityUnexpected State
Mitigations (5)
ImplementationResolve all URIs to absolute or canonical representations before processing.
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS v…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
CVE IDTitleCVSSSeverityPublished
CVE-2025-58444 MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server — inspector 6.1AIMediumAI2025-09-08
CVE-2024-52890 IBM Engineering Lifecycle Optimization - Publishing cross-site scripting — IBM Engineering Lifecycle Optimization - Publishing 6.1 Medium2025-08-05
CVE-2025-30203 Tuleap allows XSS via the content of RSS feeds in the RSS widgets — tuleap 4.8 Medium2025-03-31
CVE-2024-42184 HCL BigFix Patch Download Plug-ins are affected by insecure support for file URI scheme — BigFix Patch Management Download Plug-ins 2.5 Low2025-01-23
CVE-2024-45045 JavaScript Injection via url encoded values in links in Collabora Office Android — online 6.3 Medium2024-08-29
CVE-2023-30959 Stored XSS via javascript URI in Apollo Change Requests comment — com.palantir.apollo:autopilot 4.1 Medium2023-09-26
CVE-2023-25571 Backstage has XSS Vulnerability in Software Catalog — backstage 6.8 Medium2023-02-14
CVE-2022-40181 多款Siemens产品跨站脚本漏洞 — Desigo PXM30-1 7.3 -2022-10-11
CVE-2021-3824 Openvpn OpenVPN 跨站脚本漏洞 — OpenVPN Access Server 6.1 -2021-09-23
CVE-2020-7011 Elastic App Search 跨站脚本漏洞 — Elastic App Search 6.1 -2020-06-03

Vulnerabilities classified as CWE-84 (Web页面编码URIScheme转义处理不恰当) represent 10 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.