Acunetix 360 detected Possible Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.
This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.
Although Acunetix 360 believes there is a cross-site scripting in here, it couldnot confirm it. We strongly recommend investigating the issue manually to ensure it is cross-site scripting and needs to be addressed.
Parameters:
Method: GET
Parameter Name: Query Based
Parameter Type: FullQueryString
Parameter Value: '"--></style></scRipt><scRipt>netsparker(0x000989)</scRipt>
Acunetix 360 detected Possible Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.
This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.
Although Acunetix 360 believes there is a cross-site scripting in here, it couldnot confirm it. We strongly recommend investigating the issue manually to ensure it is cross-site scripting and needs to be addressed.
Parameters:
Method: GET Parameter Name: Query Based Parameter Type: FullQueryString Parameter Value: '"--></style></scRipt><scRipt>netsparker(0x000989)</scRipt>
Finding Id : [38248239|https://qa.armorcode.ai/#/findings/278/1413/38248239]