Description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

While a traditional cross-site scripting vulnerability occurs on the server-side code, document object model based cross-site scripting is a type of vulnerability which affects the script code in the client's browser.

Remediation

Your script should filter metacharacters from user input.

References

Acunetix Cross Site Scripting Attack

VIDEO: How Cross-Site Scripting (XSS) Works

The Cross Site Scripting Faq

OWASP DOM Based XSS

DOM based XSS Prevention Cheat Sheet

XSS Filter Evasion Cheat Sheet

Cross site scripting

OWASP PHP Top 5

How To: Prevent Cross-Site Scripting in ASP.NET

Related Vulnerabilities

WordPress Plugin P3 (Plugin Performance Profiler) Cross-Site Scripting (1.5.3.8)

WordPress Plugin OSD Subscribe Cross-Site Scripting (1.2.3)

WordPress Plugin Gravity Forms Infusionsoft Cross-Site Scripting (1.1.4)

WordPress Plugin Contact Form DB-Elementor Cross-Site Scripting (1.7)

WordPress Plugin GN Publisher: Google News Compatible RSS Feeds Cross-Site Scripting (1.5.5)

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N

Tags

XSS Deepscan