目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-87 替代XSS语法转义处理不恰当 类漏洞列表 34

CWE-87 替代XSS语法转义处理不恰当 类弱点 34 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-87 属于跨站脚本攻击漏洞,指软件未能正确中和用户输入中的替代脚本语法。攻击者利用此缺陷,通过构造非标准或变形的脚本标签绕过输入过滤机制,从而在受害者浏览器中执行恶意代码,窃取数据或篡改页面。开发者应实施严格的白名单输入验证,对特殊字符进行统一编码,并采用上下文感知的输出编码策略,确保所有用户输入均被安全处理,防止替代语法被解析执行。

MITRE CWE 官方描述
CWE:CWE-87 替代 XSS 语法的处理不当 英文:产品未对用户可控的输入进行替代脚本语法的处理,或处理不当。
常见影响 (1)
Confidentiality, Integrity, AvailabilityRead Application Data, Execute Unauthorized Code or Commands
缓解措施 (5)
ImplementationResolve all input to absolute or canonical representations before processing.
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS v…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
代码示例 (1)
In the following example, an XSS neutralization method intends to replace script tags in user-supplied input with a safe equivalent:
public String preventXSS(String input, String mask) { return input.replaceAll("script", mask); }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-42235 n8n MCP OAuth客户端XSS漏洞 — n8n 8.8AIHighAI2026-05-04
CVE-2026-40321 DNN 安全漏洞 — Dnn.Platform 8.1 High2026-04-17
CVE-2025-14732 WordPress plugin Elementor Website Builder – More Than Just a Page Builder 安全漏洞 — Elementor Website Builder – more than just a page builder 6.4 Medium2026-04-08
CVE-2026-22711 MediaWiki - WikiLove Extension 安全漏洞 — Mediawiki - Wikilove Extension 6.1AIMediumAI2026-04-07
CVE-2026-33510 homarr 安全漏洞 — homarr 8.8 High2026-04-06
CVE-2026-33506 Ory polis 输入验证错误漏洞 — polis 8.8 High2026-03-26
CVE-2025-54369 node-saml 数据伪造问题漏洞 — node-saml--2025-12-12
CVE-2025-65961 Contao 安全漏洞 — contao 3.3 Low2025-11-25
CVE-2025-48076 Galette 安全漏洞 — galette 5.4AIMediumAI2025-11-04
CVE-2025-8561 WordPress plugin Ova Advent 安全漏洞 — Ova Advent 6.4 Medium2025-10-15
CVE-2025-27793 Vega 安全漏洞 — vega 5.4AIMediumAI2025-03-27
CVE-2024-8505 WordPress plugin WordPress Infinite Scroll 跨站脚本漏洞 — Ajax Load More – Infinite Scroll, Load More, & Lazy Load 6.4 Medium2024-10-02
CVE-2024-4459 WordPress plugin Themesflat Addons For Elementor 安全漏洞 — Themesflat Addons For Elementor 6.4 Medium2024-06-06
CVE-2024-2657 WordPress plugin Font Farsi 安全漏洞 — Font Farsi 4.4 Medium2024-05-30
CVE-2024-2618 WordPress plugin Elementor Header & Footer Builder 安全漏洞 — Ultimate Addons for Elementor 6.4 Medium2024-05-24
CVE-2024-3666 WordPress plugin Opal Estate Pro – Property Management and Submission 安全漏洞 — Opal Estate Pro – Property Management and Submission 6.4 Medium2024-05-22
CVE-2024-3519 WordPress Plugin Media Library Assistant 跨站脚本漏洞 — Media Library Assistant 6.1 Medium2024-05-21
CVE-2024-2750 WordPress plugin Exclusive Addons for Elementor 安全漏洞 — Exclusive Addons for Elementor 6.4 Medium2024-05-02
CVE-2024-3162 WordPress Plugin Jeg Elementor Kit 安全漏洞 — Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress 6.4 Medium2024-04-03
CVE-2024-25640 Iris 安全漏洞 — iris-web 4.6 Medium2024-02-19
CVE-2023-6446 WordPress Plugin Calculated Fields Form 安全漏洞 — Calculated Fields Form 4.4 Medium2024-01-11
CVE-2023-50712 Iris 安全漏洞 — iris-web 4.6 Medium2023-12-22
CVE-2023-20208 Cisco Identity Services Engine 安全漏洞 — Cisco Identity Services Engine Software 4.8 Medium2023-11-21
CVE-2023-20188 多款Cisco产品 跨站脚本漏洞 — Cisco Small Business Smart and Managed Switches 4.8 Medium2023-06-28
CVE-2023-35161 XWiki Platform 跨站脚本漏洞 — xwiki-platform 9.7 Critical2023-06-23
CVE-2023-35160 XWiki Platform 跨站脚本漏洞 — xwiki-platform 9.7 Critical2023-06-23
CVE-2023-35159 XWiki Platform 跨站脚本漏洞 — xwiki-platform 9.7 Critical2023-06-23
CVE-2023-35158 XWiki Platform 安全漏洞 — xwiki-platform 9.7 Critical2023-06-23
CVE-2023-35156 XWiki Platform 跨站脚本漏洞 — xwiki-platform 9.7 Critical2023-06-23
CVE-2022-20963 Cisco Identity Services Engine 跨站脚本漏洞 — Cisco Identity Services Engine Software 5.4 Medium2022-11-03

CWE-87(替代XSS语法转义处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 34 条 CVE 漏洞。