Description

The character encoding (charset) of this page is dirrectly controlled by user input. The charset can be specified in the Content-Type header or in a meta tag declaration. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks.

Remediation

It's recommended to force UTF-8 in charset declarations. If the user must control the charset, make sure you are using a whitelist of accepted charsets.

References

User Controllable Charset | iothreat | Achieve SOC2 Compliance

Related Vulnerabilities

WordPress Plugin Email Subscribers by Icegram Express-Email Marketing, Newsletters, Automation for WordPress & WooCommerce Cross-Site Scripting (3.2.5)

WordPress Plugin Gallery-Photo Albums-Portfolio Cross-Site Scripting (1.2.25)

WordPress Plugin Events Calendar 'ec_management.class.php' Cross-Site Scripting (6.7.11)

WordPress Plugin AJAX Random Post Cross-Site Scripting (2.00)

WordPress Plugin Ceceppa Multilingua Multiple Cross-Site Scripting Vulnerabilities (1.5.13)

Severity

Medium

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality XSS