search

kartikdedhia / Riches

0 stars 2 forks source link

CX Reflected_XSS_All_Clients @ riches/pages/content/Security.jsp [master] #15

Open kartikdedhia opened 5 years ago

kartikdedhia commented 5 years ago

Reflected_XSS_All_Clients issue exists @ riches/pages/content/Security.jsp in branch master

Method url="<%=request.getParameter at line 6 of riches\pages\content\Security.jsp gets user input for the ""privacy_statement"" element. This element’s value then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method url="<%=request.getParameter at line 6 of riches\pages\content\Security.jsp. This may enable a Cross-Site-Scripting attack.

Severity: High CWE:79 Checkmarx Lines: 6

Code (Line #6):

    <c:import url="<%=request.getParameter(\"privacy_statement\")%>"/>
kartikdedhia commented 4 years ago

Issue still exists.

kartikdedhia commented 4 years ago

Issue still exists.