CWE-81
AllowedImproper Neutralization of Script in an Error Message Web Page
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.
16 vulnerabilities reference this CWE, most recent first.
GHSA-CXH3-PRMP-2877
Vulnerability from github – Published: 2025-03-12 18:32 – Updated: 2025-03-12 18:32Improper Neutralization of Script in an Error Message Web Page vulnerability in OpenText™ Service Manager.
The vulnerability could reveal sensitive information retained by the browser.
This issue affects Service Manager: 9.70, 9.71, 9.72, 9.80.
{
"affected": [],
"aliases": [
"CVE-2025-0883"
],
"database_specific": {
"cwe_ids": [
"CWE-81"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-12T16:15:20Z",
"severity": "LOW"
},
"details": "Improper Neutralization of Script in an Error Message Web Page vulnerability in OpenText\u2122 Service Manager.\u00a0\n\nThe vulnerability could reveal sensitive information retained by the browser.\n\nThis issue affects Service Manager: 9.70, 9.71, 9.72, 9.80.",
"id": "GHSA-cxh3-prmp-2877",
"modified": "2025-03-12T18:32:52Z",
"published": "2025-03-12T18:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0883"
},
{
"type": "WEB",
"url": "https://portal.microfocus.com/s/article/KM000037099?language=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:A/V:C/RE:M/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-GHW9-H2F5-FQ79
Vulnerability from github – Published: 2025-04-30 12:31 – Updated: 2025-04-30 12:31A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user's browser via a crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2025-24344"
],
"database_specific": {
"cwe_ids": [
"CWE-81"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T12:15:18Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the error notification messages of the web application of ctrlX OS allows a remote unauthenticated attacker to inject arbitrary HTML tags and, possibly, execute arbitrary client-side code in the context of another user\u0027s browser via a crafted HTTP request.",
"id": "GHSA-ghw9-h2f5-fq79",
"modified": "2025-04-30T12:31:24Z",
"published": "2025-04-30T12:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24344"
},
{
"type": "WEB",
"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-640452.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J8HP-F2MJ-586G
Vulnerability from github – Published: 2024-10-24 18:13 – Updated: 2024-10-24 21:46Summary
The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message.
It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, as in GHSA-m88m-crr9-jvqq, which may be difficult. However, out-of-tree extensions may add their own calls to respondWithErrorPage.
Details
The Command.respondWithErrorPage (through HttpUtilities.respondWithErrorPage) function renders the Velocity template error.vt, which contains the $message and $stack variables, which are included in the response as-is:
https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53
However, the message can contain HTML tags, which would then be interpreted by the browser. A mitigation would be to escape both the message and stack trace, perhaps using Guava's HTML escaper.
Flows that report errors as application/json responses are not interpreted by the browser and so not affected by this issue.
PoC
In OpenRefine, use the "Import project" feature to import the following URL (or upload it as a file): https://wandernauta.nl/oa/example.tar.gz
A JavaScript alert appears.
Impact
Execution of arbitrary JavaScript in the victim's browser, provided the victim can be convinced to import a malicious project. The script can do anything the user can do.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openrefine:openrefine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47882"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-81"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-24T18:13:04Z",
"nvd_published_at": "2024-10-24T21:15:13Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe built-in \"Something went wrong!\" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message.\n\nIt appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, as in GHSA-m88m-crr9-jvqq, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`.\n\n### Details\n\nThe `Command.respondWithErrorPage` (through `HttpUtilities.respondWithErrorPage`) function renders the Velocity template `error.vt`, which contains the `$message` and `$stack` variables, which are included in the response as-is:\n\nhttps://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53\n\nHowever, the message can contain HTML tags, which would then be interpreted by the browser. A mitigation would be to escape both the message and stack trace, perhaps using Guava\u0027s HTML escaper.\n\nFlows that report errors as `application/json` responses are not interpreted by the browser and so not affected by this issue.\n\n### PoC\n\nIn OpenRefine, use the \"Import project\" feature to import the following URL (or upload it as a file): https://wandernauta.nl/oa/example.tar.gz\n\nA JavaScript alert appears.\n\n### Impact\n\nExecution of arbitrary JavaScript in the victim\u0027s browser, provided the victim can be convinced to import a malicious project. The script can do anything the user can do.",
"id": "GHSA-j8hp-f2mj-586g",
"modified": "2024-10-24T21:46:03Z",
"published": "2024-10-24T18:13:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47882"
},
{
"type": "WEB",
"url": "https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenRefine/OpenRefine"
},
{
"type": "WEB",
"url": "https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenRefine\u0027s error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project"
}
GHSA-JQJ4-R483-4GVR
Vulnerability from github – Published: 2021-04-19 14:48 – Updated: 2021-10-08 21:23Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.
- https://vaadin.com/security/cve-2019-25027
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin-bom"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin-bom"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "13.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-81"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-16T23:14:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Missing output sanitization in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.\n\n- https://vaadin.com/security/cve-2019-25027",
"id": "GHSA-jqj4-r483-4gvr",
"modified": "2021-10-08T21:23:23Z",
"published": "2021-04-19T14:48:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vaadin/platform/security/advisories/GHSA-jqj4-r483-4gvr"
},
{
"type": "PACKAGE",
"url": "https://github.com/vaadin/platform"
},
{
"type": "WEB",
"url": "https://vaadin.com/security/cve-2019-25027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13"
}
GHSA-RP4X-WXQV-CF9M
Vulnerability from github – Published: 2021-04-19 14:52 – Updated: 2021-04-16 23:17Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.
- https://vaadin.com/security/cve-2019-25027
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-25027"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-81"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-16T23:17:25Z",
"nvd_published_at": "2021-04-23T16:15:00Z",
"severity": "MODERATE"
},
"details": "Missing output sanitization in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.10 (Vaadin 10.0.0 through 10.0.13), and 1.1.0 through 1.4.2 (Vaadin 11.0.0 through 13.0.5) allows attacker to execute malicious JavaScript via crafted URL.\n\n- https://vaadin.com/security/cve-2019-25027",
"id": "GHSA-rp4x-wxqv-cf9m",
"modified": "2021-04-16T23:17:25Z",
"published": "2021-04-19T14:52:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/security/advisories/GHSA-rp4x-wxqv-cf9m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25027"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/pull/5498"
},
{
"type": "WEB",
"url": "https://vaadin.com/security/cve-2019-25027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13"
}
GHSA-VP62-88P7-QQF5
Vulnerability from github – Published: 2026-05-18 17:52 – Updated: 2026-06-12 21:59Summary
A race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.
This advisory covers the race during mountpoint creation. The related race during the subsequent mount syscall is tracked in GHSA-rg2x-37c3-w2rh
Details
When copying files into a container, the daemon sets up a temporary filesystem view by bind-mounting volumes into a private mount namespace. During this setup, the mount destination path is first resolved within the container's root filesystem using GetResourcePath, and then used to create the mountpoint (file or directory) if it does not already exist via createIfNotExists.
Between path resolution and mountpoint creation, a process running inside the container can swap a path component for a symlink pointing to an arbitrary location on the host. Because createIfNotExists operates on the already-resolved absolute path using standard os.MkdirAll and os.OpenFile — which follow symlinks in intermediate path components — the symlink is followed and the file or directory is created outside the container root filesystem, as root.
Impact
A malicious container can create empty files or directories at arbitrary absolute paths on the host filesystem, running as root. This enables persistent denial of service — for example:
- Converting
/etc/docker/daemon.jsoninto a directory prevents the daemon from restarting - Creating
/etc/nologinprevents user logins - Overwriting critical system paths with empty files can break host services
The container does not gain read or write access to existing host files — only the ability to create new empty files or directories at chosen paths.
Conditions for exploitation
- A container must be running with a process that can rapidly create and swap symlinks at a volume mount destination path.
- An operator must initiate a
docker cpinto that container, or call thePUT /containers/{id}/archiveorHEAD /containers/{id}/archiveAPI endpoints.
Not affected
- Containers that do not have volume mounts are not affected, as the race occurs during volume bind-mount setup.
Patches
Mountpoint creation is now scoped to the container root using os.Root (Go 1.24+), which refuses to follow symlinks that escape the opened root directory. All filesystem operations in createIfNotExists (MkdirAll, OpenFile) are performed through the os.Root handle, so even if a symlink swap occurs after path resolution, the creation stays confined to the container root.
Workarounds
- Only run containers from trusted images.
- Avoid using
docker cpwith untrusted running containers. - Use authorization plugins to restrict access to the archive API endpoints (
PUT /containers/{id}/archive,HEAD /containers/{id}/archive).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/docker/docker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "28.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/moby/moby/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-beta.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/moby/moby"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "28.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41568"
],
"database_specific": {
"cwe_ids": [
"CWE-367",
"CWE-61",
"CWE-81"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:52:55Z",
"nvd_published_at": "2026-06-12T19:16:26Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nA race condition during `docker cp` mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.\n\nThis advisory covers the race during mountpoint creation. The related race during the subsequent mount syscall is tracked in GHSA-rg2x-37c3-w2rh\n\n## Details\n\nWhen copying files into a container, the daemon sets up a temporary filesystem view by bind-mounting volumes into a private mount namespace. During this setup, the mount destination path is first resolved within the container\u0027s root filesystem using `GetResourcePath`, and then used to create the mountpoint (file or directory) if it does not already exist via `createIfNotExists`.\n\nBetween path resolution and mountpoint creation, a process running inside the container can swap a path component for a symlink pointing to an arbitrary location on the host. Because `createIfNotExists` operates on the already-resolved absolute path using standard `os.MkdirAll` and `os.OpenFile` \u2014 which follow symlinks in intermediate path components \u2014 the symlink is followed and the file or directory is created outside the container root filesystem, as root.\n\n## Impact\n\nA malicious container can create empty files or directories at arbitrary absolute paths on the host filesystem, running as root. This enables persistent denial of service \u2014 for example:\n\n- Converting `/etc/docker/daemon.json` into a directory prevents the daemon from restarting\n- Creating `/etc/nologin` prevents user logins\n- Overwriting critical system paths with empty files can break host services\n\nThe container does not gain read or write access to existing host files \u2014 only the ability to create new empty files or directories at chosen paths.\n\n### Conditions for exploitation\n\n- A container must be running with a process that can rapidly create and swap symlinks at a volume mount destination path.\n- An operator must initiate a `docker cp` into that container, or call the `PUT /containers/{id}/archive` or `HEAD /containers/{id}/archive` API endpoints.\n\n### Not affected\n\n- Containers that do not have volume mounts are not affected, as the race occurs during volume bind-mount setup.\n\n## Patches\n\nMountpoint creation is now scoped to the container root using `os.Root` (Go 1.24+), which refuses to follow symlinks that escape the opened root directory. All filesystem operations in `createIfNotExists` (`MkdirAll`, `OpenFile`) are performed through the `os.Root` handle, so even if a symlink swap occurs after path resolution, the creation stays confined to the container root.\n\n## Workarounds\n\n- Only run containers from trusted images.\n- Avoid using `docker cp` with untrusted running containers.\n- Use authorization plugins to restrict access to the archive API endpoints (`PUT /containers/{id}/archive`, `HEAD /containers/{id}/archive`).",
"id": "GHSA-vp62-88p7-qqf5",
"modified": "2026-06-12T21:59:28Z",
"published": "2026-05-18T17:52:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/moby/moby/security/advisories/GHSA-vp62-88p7-qqf5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41568"
},
{
"type": "PACKAGE",
"url": "https://github.com/moby/moby"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap"
}
Mitigation
Do not write user-controlled input to error pages.
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-198: XSS Targeting Error Pages
An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page.