CWE-80
AllowedImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
939 vulnerabilities reference this CWE, most recent first.
GHSA-2F2W-349X-VRQM
Vulnerability from github – Published: 2021-07-02 19:18 – Updated: 2023-04-14 19:24On Saturday, @hdodov reported that the Panel's ListItem component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks.
We used his report as an opportunity to find and fix XSS issues related to dynamic site content throughout the Panel codebase.
Impact
Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.
Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.
Visitors without Panel access can only use this attack vector if your site allows changing site data from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.
Patches
Kirby 3.5.7 contains patches for the following issues we found during our investigation:
- Some translated error and info messages contain placeholders to dynamically insert information like page titles or filenames. While the translation strings are allowed to contain HTML formatting, the dynamic data needs to be protected against XSS attacks. Kirby 3.5.7 now escapes the dynamic data.
- Our
Boxcomponent used to display information for the user supports HTML output for specific use-cases. We found out that the dialogs used in thefiles,pagesandusersfields as well as thefieldssection used it to display raw exception or error messages. These messages are now escaped. - The users and settings views display user and language data using the
ListItemcomponent that supports HTML. We now escape the dynamic data before it is passed to theListItemcomponent. - Some of our sections and fields support HTML for their
text,helpand/orinfoproperties. This allows custom formatting from the blueprint, but also caused the original issue reported to us that allowed to inject HTML code from the content itself. Kirby 3.5.7 now escapes the defaulttextdisplayed by thefilesandpagessections (filename/page title), thefiles,pagesandusersfields (filename/page title/username) and by query-basedcheckboxes,radio,tagsandmultiselectfields (default text depending on the used query).
Note: Custom text, help and info queries in blueprints are not escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.6"
},
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32735"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-02T16:38:10Z",
"nvd_published_at": "2021-07-02T15:15:00Z",
"severity": "HIGH"
},
"details": "On Saturday, @hdodov reported that the Panel\u0027s `ListItem` component (used in the pages and files section for example) displayed HTML in page titles as it is. This could be used for cross-site scripting (XSS) attacks.\n\nWe used his report as an opportunity to find and fix XSS issues related to dynamic site content throughout the Panel codebase.\n\n### Impact\n\nCross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of other users. In the Panel, a harmful script can for example trigger requests to Kirby\u0027s API with the permissions of the victim.\n\nSuch vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.\n\nVisitors without Panel access can only use this attack vector if your site allows changing site data from a frontend form (for example user self-registration or the creation of pages from a contact or other frontend form). If you validate or sanitize the provided form data, you are already protected against such attacks by external visitors.\n\n### Patches\n\n[Kirby 3.5.7](https://github.com/getkirby/kirby/releases/tag/3.5.7) contains patches for the following issues we found during our investigation:\n\n- Some translated error and info messages contain placeholders to dynamically insert information like page titles or filenames. While the translation strings are allowed to contain HTML formatting, the dynamic data needs to be\u00a0protected against XSS attacks. Kirby 3.5.7 now escapes the dynamic data.\n- Our `Box` component used to display information for the user supports HTML output for specific use-cases. We found out that the dialogs used in the `files`, `pages` and `users` fields as well as the `fields` section used it to display raw exception or error messages. These messages are now escaped.\n- The users and settings views display user and language data using the `ListItem` component that supports HTML. We now escape the dynamic data before it is passed to the `ListItem` component.\n- Some of our sections and fields support HTML for their `text`, `help` and/or `info` properties. This allows custom formatting from the blueprint, but also caused the original issue reported to us that allowed to inject HTML code from the content itself. Kirby 3.5.7 now escapes the default `text` displayed by the `files` and `pages` sections (filename/page title), the `files`, `pages` and `users` fields (filename/page title/username) and by query-based `checkboxes`, `radio`, `tags` and `multiselect` fields (default text depending on the used query).\n\n**Note:** Custom `text`, `help` and `info` queries in blueprints are *not* escaped in 3.5.7. We support HTML in these properties because there are valid use-cases for custom formatting. However there can still be XSS vulnerabilities depending on your use of these properties. In Kirby 3.6 we will provide a new feature that will make it much easier to control whether you want to allow HTML from query placeholders.",
"id": "GHSA-2f2w-349x-vrqm",
"modified": "2023-04-14T19:24:30Z",
"published": "2021-07-02T19:18:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-2f2w-349x-vrqm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32735"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/commit/f5ead62f8510158bed5baf58ca0e851875778a09"
},
{
"type": "PACKAGE",
"url": "https://github.com/getkirby/kirby"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.5.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cross-site scripting (XSS) from field and configuration text displayed in the Panel"
}
GHSA-2FHP-49GM-838V
Vulnerability from github – Published: 2024-04-17 21:30 – Updated: 2024-07-03 18:35A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the MENU parameter under the Menu module.
{
"affected": [],
"aliases": [
"CVE-2024-32746"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-17T21:15:09Z",
"severity": "MODERATE"
},
"details": "A cross-site scripting (XSS) vulnerability in the Settings section of WonderCMS v3.4.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the MENU parameter under the Menu module.",
"id": "GHSA-2fhp-49gm-838v",
"modified": "2024-07-03T18:35:19Z",
"published": "2024-04-17T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32746"
},
{
"type": "WEB",
"url": "https://github.com/adiapera/xss_menu_page_wondercms_3.4.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2J46-XFP6-WGFM
Vulnerability from github – Published: 2023-04-20 15:30 – Updated: 2024-04-04 03:36Reflective Cross-Site-Scripting in Webconf in Tribe29 Checkmk Appliance before 1.6.4.
{
"affected": [],
"aliases": [
"CVE-2023-22309"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-20T14:15:08Z",
"severity": "MODERATE"
},
"details": "Reflective Cross-Site-Scripting in Webconf in Tribe29 Checkmk Appliance before 1.6.4.",
"id": "GHSA-2j46-xfp6-wgfm",
"modified": "2024-04-04T03:36:53Z",
"published": "2023-04-20T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22309"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/9523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2M22-X9H5-MQ25
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30The GDPR cookies module for Backdrop CMS (before
1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration.
{
"affected": [],
"aliases": [
"CVE-2025-71310"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T02:16:39Z",
"severity": "LOW"
},
"details": "The GDPR cookies module for Backdrop CMS (before \n\n1.x-1.3.5) doesn\u0027t sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional \u0027Info content\u0027 field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission \"Create a GDPR Cookies Service\" or \"Edit any GDPR Cookies Service\" and a site must have added a YouTube service as configuration.",
"id": "GHSA-2m22-x9h5-mq25",
"modified": "2026-05-26T13:30:53Z",
"published": "2026-05-26T13:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71310"
},
{
"type": "WEB",
"url": "https://backdropcms.org/security/sa-contrib-2025-013"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2MG7-W9R8-29MW
Vulnerability from github – Published: 2026-04-07 21:32 – Updated: 2026-04-16 00:54Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
{
"affected": [],
"aliases": [
"CVE-2026-39841"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T20:16:34Z",
"severity": "MODERATE"
},
"details": "Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.",
"id": "GHSA-2mg7-w9r8-29mw",
"modified": "2026-04-16T00:54:04Z",
"published": "2026-04-07T21:32:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39841"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1237973"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T416389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2MHQ-48GX-32RG
Vulnerability from github – Published: 2025-09-26 09:31 – Updated: 2026-04-01 18:36Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore allows Code Injection. This issue affects XStore: from n/a through 9.5.3.
{
"affected": [],
"aliases": [
"CVE-2025-60100"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-26T09:15:35Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in 8theme XStore allows Code Injection. This issue affects XStore: from n/a through 9.5.3.",
"id": "GHSA-2mhq-48gx-32rg",
"modified": "2026-04-01T18:36:21Z",
"published": "2025-09-26T09:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60100"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/xstore/vulnerability/wordpress-xstore-theme-9-5-3-content-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2P4R-XJWX-3WHG
Vulnerability from github – Published: 2024-06-04 12:31 – Updated: 2024-06-04 12:31Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79.
{
"affected": [],
"aliases": [
"CVE-2023-48285"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-04T11:15:48Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79.",
"id": "GHSA-2p4r-xjwx-3whg",
"modified": "2024-06-04T12:31:04Z",
"published": "2024-06-04T12:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48285"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/stripe-payments/wordpress-accept-stripe-payments-plugin-2-0-79-content-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2P9H-RQJW-GM92
Vulnerability from github – Published: 2026-02-25 22:28 – Updated: 2026-02-27 21:52Impact
An authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes (Form Trigger node, Chat Trigger node, Send & Wait node, Webhook Node, and Chat Node). Scripts injected by a malicious workflow execute in the browser of any user who visits the affected page, enabling session hijacking and account takeover.
Patches
The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the Webhook node by adding n8n-nodes-base.webhook to the NODES_EXCLUDE environment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Credit
Reporters: - @ori-ron - @Aikido-Security - @nil340 - Pawel Bednarz from the NATO Cyber Security Centre (NCSC)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.123.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27578"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-25T22:28:57Z",
"nvd_published_at": "2026-02-25T23:16:21Z",
"severity": "HIGH"
},
"details": "## Impact\nAn authenticated user with permission to create or modify workflows could inject arbitrary scripts into pages rendered by the n8n application using different techniques on various nodes (Form Trigger node, Chat Trigger node, Send \u0026 Wait node, Webhook Node, and Chat Node). Scripts injected by a malicious workflow execute in the browser of any user who visits the affected page, enabling session hijacking and account takeover.\n\n## Patches\nThe issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Webhook node by adding `n8n-nodes-base.webhook` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n## Credit\nReporters:\n- @ori-ron\n- @Aikido-Security\n- @nil340\n- Pawel Bednarz from the NATO Cyber Security Centre (NCSC)",
"id": "GHSA-2p9h-rqjw-gm92",
"modified": "2026-02-27T21:52:06Z",
"published": "2026-02-25T22:28:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27578"
},
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a"
},
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6"
},
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e"
},
{
"type": "PACKAGE",
"url": "https://github.com/n8n-io/n8n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "n8n Vulnerable to Stored XSS via Various Nodes"
}
GHSA-2PHH-VPWQ-X849
Vulnerability from github – Published: 2026-05-28 21:32 – Updated: 2026-05-28 21:32A reflected cross-site scripting issue exists in URL handling.
{
"affected": [],
"aliases": [
"CVE-2026-9646"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T21:16:35Z",
"severity": "MODERATE"
},
"details": "A reflected cross-site scripting issue exists in URL handling.",
"id": "GHSA-2phh-vpwq-x849",
"modified": "2026-05-28T21:32:07Z",
"published": "2026-05-28T21:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9646"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2026-46"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PM2-CPJX-462G
Vulnerability from github – Published: 2024-03-14 15:34 – Updated: 2024-07-03 18:33Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php.
{
"affected": [],
"aliases": [
"CVE-2024-28417"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-14T13:15:53Z",
"severity": "MODERATE"
},
"details": "Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php.",
"id": "GHSA-2pm2-cpjx-462g",
"modified": "2024-07-03T18:33:45Z",
"published": "2024-03-14T15:34:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28417"
},
{
"type": "WEB",
"url": "https://gitee.com/shavchen214/pwn/issues/I94VFH"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-18: XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.
CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
CAPEC-32: XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.
CAPEC-86: XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.