CWE-80
AllowedImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
936 vulnerabilities reference this CWE, most recent first.
GHSA-8QWG-H3WF-MWX5
Vulnerability from github – Published: 2024-01-02 00:30 – Updated: 2024-01-02 00:30A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/students.php of the component NIA Office. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249441 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-0183"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-01T23:15:08Z",
"severity": "LOW"
},
"details": "A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/students.php of the component NIA Office. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249441 was assigned to this vulnerability.",
"id": "GHSA-8qwg-h3wf-mwx5",
"modified": "2024-01-02T00:30:21Z",
"published": "2024-01-02T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0183"
},
{
"type": "WEB",
"url": "https://mega.nz/file/SB8ylCxQ#vSaXJwbNjeG-KXatgkxE8XI6Cmnv-A_Sg2IjvoJZs0E"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.249441"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.249441"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8RQ5-WWPP-FMJ2
Vulnerability from github – Published: 2026-05-05 20:32 – Updated: 2026-05-13 16:24Description: Stored Cross-Site Scripting (XSS) occurs when user-supplied input is persisted by the application and later rendered in another user's browser without proper sanitization or contextual output encoding. When the vulnerable sink is a high-traffic surface such as a public forum thread, the payload executes in the browser of every user who visits the page, maximizing both reach and impact. Any JavaScript injected through such a sink runs under the application's origin and inherits the privileges of whichever user happens to view the affected content.
Issue Details:
The thread posting and reply feature accepts user-supplied content that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. Submitting a post or reply containing "><img src=x onerror=prompt(0)> causes the payload to break out of the surrounding HTML context and inject a fully attacker-controlled <img> element whose onerror handler fires automatically as soon as the broken image reference fails to load. Because posts and replies are visible to every user who visits the thread, authenticated or otherwise, the injected JavaScript executes in each viewer's browser the moment the page renders, with no additional interaction required.
Impact: An attacker with a standard forum account can execute arbitrary JavaScript in the browser of every user who loads the affected thread, including moderators and administrators. This enables session/auth-cookie theft, account takeover through same-origin state-changing requests, forced privileged actions if an administrator views the thread, credential phishing via injected login overlays, forum defacement, cryptominer or malware delivery, and mass redirection of viewers to attacker-controlled sites. Because the payload triggers automatically on page load rather than requiring hover or click interaction, a single malicious post can compromise a large number of users very quickly.
Likelihood: Exploitation requires only a registered account with permission to post or reply, which is available to every forum member by default. Once posted, the payload fires automatically for any visitor who opens the thread, requiring zero victim interaction and making the overall likelihood high.
Steps to Reproduce:
- Log in to the forum as any low-privileged user (Attacker).
- Navigate to any thread where posting or replying is allowed, or create a new thread.
- In the post/reply body, submit the payload: "><img src=x onerror=prompt(0)>
- Publish the post or reply.
- Log in as a different user (e.g., Admin) or visit the thread in a separate browser session.
- Open the thread page, the injected <img> fails to load and the onerror handler fires, producing a prompt(0) dialog and confirming arbitrary JavaScript execution in the viewer's session context.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.0.4"
},
"package": {
"ecosystem": "NuGet",
"name": "YAFNET.Core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-beta01"
},
{
"fixed": "4.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.11"
},
"package": {
"ecosystem": "NuGet",
"name": "YAFNET.Core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43939"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T20:32:47Z",
"nvd_published_at": "2026-05-12T15:16:15Z",
"severity": "HIGH"
},
"details": "**Description:**\nStored Cross-Site Scripting (XSS) occurs when user-supplied input is persisted by the application and later rendered in another user\u0027s browser without proper sanitization or contextual output encoding. When the vulnerable sink is a high-traffic surface such as a public forum thread, the payload executes in the browser of every user who visits the page, maximizing both reach and impact. Any JavaScript injected through such a sink runs under the application\u0027s origin and inherits the privileges of whichever user happens to view the affected content.\n\n**Issue Details:**\nThe thread posting and reply feature accepts user-supplied content that is stored server-side and later rendered back into the thread page without adequate HTML sanitization or contextual output encoding. Submitting a post or reply containing `\"\u003e\u003cimg src=x onerror=prompt(0)\u003e` causes the payload to break out of the surrounding HTML context and inject a fully attacker-controlled `\u003cimg\u003e` element whose `onerror` handler fires automatically as soon as the broken image reference fails to load. Because posts and replies are visible to every user who visits the thread, authenticated or otherwise, the injected JavaScript executes in each viewer\u0027s browser the moment the page renders, with no additional interaction required.\n\n**Impact:**\nAn attacker with a standard forum account can execute arbitrary JavaScript in the browser of every user who loads the affected thread, including moderators and administrators. This enables session/auth-cookie theft, account takeover through same-origin state-changing requests, forced privileged actions if an administrator views the thread, credential phishing via injected login overlays, forum defacement, cryptominer or malware delivery, and mass redirection of viewers to attacker-controlled sites. Because the payload triggers automatically on page load rather than requiring hover or click interaction, a single malicious post can compromise a large number of users very quickly.\n\n**Likelihood:**\nExploitation requires only a registered account with permission to post or reply, which is available to every forum member by default. Once posted, the payload fires automatically for any visitor who opens the thread, requiring zero victim interaction and making the overall likelihood high.\n\n**Steps to Reproduce:**\n- Log in to the forum as any low-privileged user (Attacker).\n- Navigate to any thread where posting or replying is allowed, or create a new thread.\n- In the post/reply body, submit the payload: `\"\u003e\u003cimg src=x onerror=prompt(0)\u003e`\n- Publish the post or reply.\n- Log in as a different user (e.g., Admin) or visit the thread in a separate browser session.\n- Open the thread page, the injected `\u003cimg\u003e` fails to load and the `onerror` handler fires, producing a `prompt(0)` dialog and confirming arbitrary JavaScript execution in the viewer\u0027s session context.\n\u003cimg width=\"1127\" height=\"745\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b93442ea-1d8e-4079-ab4f-e52d41d110f3\" /\u003e",
"id": "GHSA-8rq5-wwpp-fmj2",
"modified": "2026-05-13T16:24:29Z",
"published": "2026-05-05T20:32:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/YAFNET/YAFNET/security/advisories/GHSA-8rq5-wwpp-fmj2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43939"
},
{
"type": "PACKAGE",
"url": "https://github.com/YAFNET/YAFNET"
},
{
"type": "WEB",
"url": "https://github.com/YAFNET/YAFNET/releases/tag/v3.2.12"
},
{
"type": "WEB",
"url": "https://github.com/YAFNET/YAFNET/releases/tag/v4.0.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers"
}
GHSA-8VMW-C4HX-3J5R
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06A stored XSS vulnerability has been reported to affect QNAP NAS running QuLog Center. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QuLog Center versions prior to 1.2.0.
{
"affected": [],
"aliases": [
"CVE-2020-36196"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-01T02:15:00Z",
"severity": "MODERATE"
},
"details": "A stored XSS vulnerability has been reported to affect QNAP NAS running QuLog Center. If exploited, this vulnerability allows attackers to inject malicious code. This issue affects: QNAP Systems Inc. QuLog Center versions prior to 1.2.0.",
"id": "GHSA-8vmw-c4hx-3j5r",
"modified": "2022-05-24T19:06:47Z",
"published": "2022-05-24T19:06:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36196"
},
{
"type": "WEB",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-21-30"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8WVX-X66H-GVP7
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-08-06 00:00The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.
{
"affected": [],
"aliases": [
"CVE-2021-39348"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-21T20:15:00Z",
"severity": "MODERATE"
},
"details": "The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.",
"id": "GHSA-8wvx-x66h-gvp7",
"modified": "2022-08-06T00:00:52Z",
"published": "2022-05-24T19:18:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39348"
},
{
"type": "WEB",
"url": "https://github.com/BigTiger2020/word-press/blob/main/LearnPress.md"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2614592%40learnpress\u0026new=2614592%40learnpress\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://wordfence.com/vulnerability-advisories/#CVE-2021-39348"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8XR9-89PC-8WCX
Vulnerability from github – Published: 2024-04-04 18:30 – Updated: 2025-01-08 15:31There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser.
{
"affected": [],
"aliases": [
"CVE-2024-25690"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T18:15:09Z",
"severity": "MODERATE"
},
"details": "There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.1 and below that may allow a remote, unauthenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim\u2019s browser.",
"id": "GHSA-8xr9-89pc-8wcx",
"modified": "2025-01-08T15:31:06Z",
"published": "2024-04-04T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25690"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-1"
},
{
"type": "WEB",
"url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-95J3-435G-VJCP
Vulnerability from github – Published: 2025-02-21 23:54 – Updated: 2025-03-31 15:58Summary
HTML can be arbitrarily injected into emails from Leantime due to improper neutralization of HTML tags in users' first names. This effectively allows for the creation of phishing emails from a Leantime instance's email address.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "leantime/leantime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-28254"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-21T23:54:26Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nHTML can be arbitrarily injected into emails from Leantime due to improper neutralization of HTML tags in users\u0027 first names. This effectively allows for the creation of phishing emails from a Leantime instance\u0027s email address.",
"id": "GHSA-95j3-435g-vjcp",
"modified": "2025-03-31T15:58:10Z",
"published": "2025-02-21T23:54:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Leantime/leantime/security/advisories/GHSA-95j3-435g-vjcp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28254"
},
{
"type": "WEB",
"url": "https://github.com/Leantime/leantime/commit/ce1d2073e4601183e1bdd90f4b433d16aee46a50"
},
{
"type": "PACKAGE",
"url": "https://github.com/Leantime/leantime"
},
{
"type": "WEB",
"url": "https://github.com/Leantime/leantime/blob/0e7ddbbe3d582f657a1dddfef7b3419ae588cbf7/app/Domain/Notifications/Services/Notifications.php#L128"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Leantime affected by Improper Neutralization of HTML Tags"
}
GHSA-96HC-G58P-3PQ7
Vulnerability from github – Published: 2024-03-28 21:30 – Updated: 2024-07-03 18:33Cross Site Scripting vulnerability in Insurance Mangement System v.1.0.0 and before allows a remote attacker to execute arbitrary code via the Street input field.
{
"affected": [],
"aliases": [
"CVE-2024-31062"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-28T19:15:48Z",
"severity": "MODERATE"
},
"details": "Cross Site Scripting vulnerability in Insurance Mangement System v.1.0.0 and before allows a remote attacker to execute arbitrary code via the Street input field.",
"id": "GHSA-96hc-g58p-3pq7",
"modified": "2024-07-03T18:33:55Z",
"published": "2024-03-28T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31062"
},
{
"type": "WEB",
"url": "https://github.com/sahildari/cve/blob/master/CVE-2024-31062.md"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/xss"
},
{
"type": "WEB",
"url": "https://portswigger.net/web-security/cross-site-scripting/stored"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-97CW-R9QF-J9QH
Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-20 18:31Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1.
{
"affected": [],
"aliases": [
"CVE-2026-22422"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-19T09:16:11Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through \u003c= 3.4.1.",
"id": "GHSA-97cw-r9qf-j9qh",
"modified": "2026-02-20T18:31:27Z",
"published": "2026-02-19T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22422"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/everest-forms/vulnerability/wordpress-everest-forms-plugin-3-4-1-arbitrary-shortcode-execution-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-99GF-4HPH-HX88
Vulnerability from github – Published: 2025-11-11 06:30 – Updated: 2025-11-11 06:30The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzez_chart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
{
"affected": [],
"aliases": [
"CVE-2025-12753"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T04:15:50Z",
"severity": "MODERATE"
},
"details": "The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027pmzez_chart\u0027 shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
"id": "GHSA-99gf-4hph-hx88",
"modified": "2025-11-11T06:30:22Z",
"published": "2025-11-11T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12753"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/chart-expert/tags/1.0/inc/shortcode.php#L1"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/chart-expert/tags/1.0/inc/shortcode.php#L95"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ed413a9-bf1d-4564-b740-4c92ec2c2249?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9CJH-QMVX-436C
Vulnerability from github – Published: 2022-05-01 02:20 – Updated: 2023-09-18 23:52Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2005-3745"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-18T23:52:44Z",
"nvd_published_at": "2005-11-22T11:03:00Z",
"severity": "MODERATE"
},
"details": "Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message.",
"id": "GHSA-9cjh-qmvx-436c",
"modified": "2023-09-18T23:52:44Z",
"published": "2022-05-01T02:20:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-3745"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r02c2d634fa74209d941c90f9a4cd36a6f12366ca65f9b90446ff2de3@%3Cissues.struts.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf482c101a88445d73cc2e89dbf7f16ae00a4aa79a544a1e72b2326db@%3Cissues.struts.apache.org%3E"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20051230061138/http://www.hacktics.com/AdvStrutsNov05.html"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20060315133810/http://securitytracker.com/alerts/2005/Nov/1015257.html"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20060408105414/http://www.securityfocus.com/bid/15512"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201125023452/http://www.securityfocus.com/archive/1/417296/30/0/threaded"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201207010315/https://cxsecurity.com/issue/WLB-2005110055"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2006-0157.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2006-0161.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Apache Struts Cross-site scripting Vulnerability"
}
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-18: XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.
CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
CAPEC-32: XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.
CAPEC-86: XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.