CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
low-riskThe product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Abstraction: Base
Common Consequences
Access Control
→
Bypass Protection Mechanism
Integrity
→
Execute Unauthorized Code or Commands
Confidentiality
→
Execute Unauthorized Code or Commands
Detection Methods
Automated Static Analysis
Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible, especially when multiple components are involved.
Black Box
Use the XSS Cheat Sheet [REF-714] or automated test-generation tools to help launch a wide variety of attacks against your web application. The Cheat Sheet contains many subtle XSS variations that are specifically targeted against weak XSS defenses.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2019-3929 | 9.8 | 94.3% | Y |
| CVE-2022-27926 | 6.1 | 94.1% | Y |
| CVE-2022-27926 | 6.1 | 94.1% | Y |
| CVE-2023-37580 | 6.1 | 93.9% | Y |
| CVE-2023-37580 | 6.1 | 93.9% | Y |
| CVE-2020-9496 | 6.1 | 93.8% | — |
| CVE-2020-2096 | 6.1 | 93.8% | — |
| CVE-2020-3580 | 6.1 | 93.4% | Y |
| CVE-2020-3580 | 6.1 | 93.4% | Y |
| CVE-2023-4220 | 8.1 | 93.2% | — |
5
/ 100
low-risk
Active Threat
4/50 · Minimal
Exploit Availability
1/50 · Minimal