Description

The character encoding (charset) of this page is dirrectly controlled by user input. The charset can be specified in the Content-Type header or in a meta tag declaration. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks.

Remediation

It's recommended to force UTF-8 in charset declarations. If the user must control the charset, make sure you are using a whitelist of accepted charsets.

Related Vulnerabilities

Subscribe2 Cross-Site Scripting (10.15)

Broken Link Checker Multiple Cross-Site Scripting Vulnerabilities (1.9.1)

WP-Matomo (WP-Piwik) Cross-Site Scripting (1.0.10)

Wordfence Security-Firewall & Malware Scan Cross-Site Scripting (6.0.21)

My Calendar Cross-Site Scripting (2.4.18)

Severity

Medium

Classification

CWE-20 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Tags

Abuse Of Functionality XSS