Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Cross-site Scripting via Remote File Inclusion

Description

This script is vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. The server opens arbitrary URLs and puts the content retrieved from the URL into the response without filtering.

Remediation

Your server side code should verify if the URL from the user input is allowed to be retrieved and displayed or filter the response from the URL according to the context in which it is displayed.

References

Acunetix Cross Site Scripting Attack

VIDEO: How Cross-Site Scripting (XSS) Works

The Cross Site Scripting Faq

XSS Filter Evasion Cheat Sheet

Cross site scripting

OWASP PHP Top 5

How To: Prevent Cross-Site Scripting in ASP.NET

Related Vulnerabilities

WordPress Plugin Visualizer:Tables and Charts Manager for WordPress Cross-Site Scripting (3.9.1)

WordPress Plugin WooCommerce Cross-Site Scripting (3.4.5)

WordPress Plugin AdPlugg WordPress Ad Cross-Site Scripting (1.1.33)

WordPress Plugin Simple Security Multiple Cross-Site Scripting Vulnerabilities (1.1.5)

Apache 2.x version older than 2.0.63

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:L/SA:N

Tags

XSS Acumonitor