Read Time:36 Second

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The “XSS Cheat Sheet” [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Modes of Introduction:

Likelihood of Exploit:

 

Related Weaknesses

CWE-184
CWE-79

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

CVE References

 

  • CVE-2007-5727
    • Denylist only removes