CWE-692
Incomplete Denylist to Cross-Site Scripting
AI Translation Available
The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
Status
draft
Abstraction
compound
Affected Platforms
Web Based
Web Server
Extended Description
AI Translation
While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The 'XSS Cheat Sheet' [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.
Technical Details
AI Translation
Common Consequences
confidentiality
integrity
availability
Impacts
execute unauthorized code or commands