Common Weakness Enumeration

CWE-83

Allowed

Improper Neutralization of Script in Attributes in a Web Page

Abstraction: Variant · Status: Draft

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

40 vulnerabilities reference this CWE, most recent first.

GHSA-7F96-HG3W-W868

Vulnerability from github – Published: 2025-04-11 04:19 – Updated: 2025-04-11 04:19
VLAI
Details

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.

The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

This issue does not affect Cloud NGFW and all Prisma® Access instances.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-11T02:15:18Z",
    "severity": "MODERATE"
  },
  "details": "An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS\u00ae software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.\n\n\nThe attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .\n\nThis issue does not affect Cloud NGFW and all Prisma\u00ae Access instances.",
  "id": "GHSA-7f96-hg3w-w868",
  "modified": "2025-04-11T04:19:27Z",
  "published": "2025-04-11T04:19:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0125"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2025-0125"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8M4F-V87C-8XHM

Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-14 21:31
VLAI
Details

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.

The attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-14T19:15:52Z",
    "severity": "MODERATE"
  },
  "details": "An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS\u00ae software enables a malicious authenticated read-write administrator to impersonate another legitimate authenticated PAN-OS administrator.\n\n\nThe attacker must have network access to the management web interface to exploit this issue. You greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  critical deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .",
  "id": "GHSA-8m4f-v87c-8xhm",
  "modified": "2025-05-14T21:31:18Z",
  "published": "2025-05-14T21:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0137"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2025-0137"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-934W-87QH-QR26

Vulnerability from github – Published: 2026-06-16 13:49 – Updated: 2026-06-16 13:49
VLAI
Summary
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Details

Summary

<NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link.

The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically.

Unlike the previously reported navigateTo issue (CVE-2024-34343), the sink here is the rendered anchor itself; the existing isScriptProtocol checks in navigateTo and reloadNuxtApp are not on the code path. The onClick handler intentionally returns early for external links so the browser's native protocol-based navigation runs.

Affected component

  • File: packages/nuxt/src/app/components/nuxt-link.ts
  • Sink: h('a', { href: href.value, ... }) in the default render, plus the href / route.href props passed to the custom slot.
  • Broken check: external auto-detection treated any hasProtocol(path, { acceptRelative: true }) value as an "external link", then rendered the value directly as <a href> without rejecting script-capable protocols. There was no equivalent of the navigateTo isScriptProtocol(protocol) gate in this path.

Impact

Any Nuxt application that binds user-controlled values to <NuxtLink :to> / :href was vulnerable. Common shapes: profile-link rendering (<NuxtLink :to="user.website">), "share this" / "open in new tab" handlers that pass through a query parameter, CMS-driven landing pages that render <NuxtLink :to="cms.cta.url">, and marketplace listings that show seller-supplied links.

For javascript: / vbscript: the primitive is reflected XSS in the application's first-party origin (session theft for non-HttpOnly cookies, CSRF token theft, account takeover via DOM rewriting, credential harvesting via fake login overlays). For data:text/html,... the attacker gets a same-tab phishing surface anchored to a legitimate application link.

Patches

Fixed in nuxt@4.4.7 (commit 0103ce06) and backported to nuxt@3.21.7 (commit 53284043). The fix sanitises the resolved external href before it is passed to <a> or the custom slot: control characters and whitespace are stripped, leading view-source: prefixes are unwrapped, and any remaining script-capable scheme (per isScriptProtocol) causes the href to be replaced with an empty string.

Workarounds

Until you can upgrade, validate URLs at the source before binding them to <NuxtLink :to> / :href. For example, only accept paths that start with / (and not //), or run user-supplied URLs through new URL(value) and reject anything whose protocol is not in an allow-list (typically http: and https:).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.21.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T13:49:36Z",
    "nvd_published_at": "2026-06-12T15:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n`\u003cNuxtLink\u003e` did not validate the URL scheme of values bound to its `to` or `href` props before rendering them into the `href` attribute of the underlying `\u003ca\u003e` element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to `\u003cNuxtLink :to\u003e` or `:href`, the attacker can supply a `javascript:` or `vbscript:` URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A `data:text/html,...` payload reflected through the same sink does not execute in the application\u0027s origin but enables a same-tab phishing surface anchored to a legitimate application link.\n\nThe same value was exposed to consumers of the component\u0027s `custom` slot via the `href` and `route.href` props, so applications that re-bind those values to their own anchors were affected identically.\n\nUnlike the previously reported `navigateTo` issue (CVE-2024-34343), the sink here is the rendered anchor itself; the existing `isScriptProtocol` checks in `navigateTo` and `reloadNuxtApp` are not on the code path. The `onClick` handler intentionally returns early for external links so the browser\u0027s native protocol-based navigation runs.\n\n### Affected component\n\n- File: `packages/nuxt/src/app/components/nuxt-link.ts`\n- Sink: `h(\u0027a\u0027, { href: href.value, ... })` in the default render, plus the `href` / `route.href` props passed to the `custom` slot.\n- Broken check: external auto-detection treated any `hasProtocol(path, { acceptRelative: true })` value as an \"external link\", then rendered the value directly as `\u003ca href\u003e` without rejecting script-capable protocols. There was no equivalent of the `navigateTo` `isScriptProtocol(protocol)` gate in this path.\n\n### Impact\n\nAny Nuxt application that binds user-controlled values to `\u003cNuxtLink :to\u003e` / `:href` was vulnerable. Common shapes: profile-link rendering (`\u003cNuxtLink :to=\"user.website\"\u003e`), \"share this\" / \"open in new tab\" handlers that pass through a query parameter, CMS-driven landing pages that render `\u003cNuxtLink :to=\"cms.cta.url\"\u003e`, and marketplace listings that show seller-supplied links.\n\nFor `javascript:` / `vbscript:` the primitive is reflected XSS in the application\u0027s first-party origin (session theft for non-`HttpOnly` cookies, CSRF token theft, account takeover via DOM rewriting, credential harvesting via fake login overlays). For `data:text/html,...` the attacker gets a same-tab phishing surface anchored to a legitimate application link.\n\n### Patches\n\nFixed in `nuxt@4.4.7` (commit [`0103ce06`](https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3)) and backported to `nuxt@3.21.7` (commit [`53284043`](https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0)). The fix sanitises the resolved external `href` before it is passed to `\u003ca\u003e` or the `custom` slot: control characters and whitespace are stripped, leading `view-source:` prefixes are unwrapped, and any remaining script-capable scheme (per `isScriptProtocol`) causes the `href` to be replaced with an empty string.\n\n### Workarounds\n\nUntil you can upgrade, validate URLs at the source before binding them to `\u003cNuxtLink :to\u003e` / `:href`. For example, only accept paths that start with `/` (and not `//`), or run user-supplied URLs through `new URL(value)` and reject anything whose `protocol` is not in an allow-list (typically `http:` and `https:`).",
  "id": "GHSA-934w-87qh-qr26",
  "modified": "2026-06-16T13:49:36Z",
  "published": "2026-06-16T13:49:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-934w-87qh-qr26"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/0103ce06fbbbdfa079a7f020ef8ce00121eac4a3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/53284043dc21210a25d629d1cec67d3ae557ffd0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nuxt: Reflected XSS in `\u003cNuxtLink\u003e` via unsanitised `javascript:` or `data:` URL"
}

GHSA-9W5H-PX4F-8H8M

Vulnerability from github – Published: 2025-10-09 21:31 – Updated: 2026-04-01 03:31
VLAI
Details

An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and execute arbitrary commands.

The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.

Cloud NGFW and Prisma® Access are not affected by this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-09T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "An improper input neutralization vulnerability in the management web interface of the Palo Alto Networks PAN-OS\u00ae software enables an authenticated administrator to bypass system restrictions and execute arbitrary commands.\n\nThe security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators.\n\nCloud NGFW and Prisma\u00ae Access are not affected by this vulnerability.",
  "id": "GHSA-9w5h-px4f-8h8m",
  "modified": "2026-04-01T03:31:40Z",
  "published": "2025-10-09T21:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4615"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVEN-2025-4615"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F73J-PM2C-RXVR

Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:11
VLAI
Summary
Concrete CMS is Vulnerable to Reflected XSS in Legacy Pagination
Details

Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (). Any authenticated admin or report viewer with access to /dashboard/reports/forms/legacy who clicks the crafted URL fires the payload in their session.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-24T21:11:32Z",
    "nvd_published_at": "2026-05-21T22:16:50Z",
    "severity": "MODERATE"
  },
  "details": "Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection.\u00a0Concrete\\Core\\Legacy\\Pagination builds pagination links by raw-interpolating its $URL field into href=\"\" (\u003ca href=\"{$linkURL}\" \u2026\u003e).\u00a0Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session.",
  "id": "GHSA-f73j-pm2c-rxvr",
  "modified": "2026-06-24T21:11:32Z",
  "published": "2026-05-22T00:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8245"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Concrete CMS is Vulnerable to Reflected XSS in Legacy Pagination"
}

GHSA-FX6J-W5W5-H468

Vulnerability from github – Published: 2026-05-19 15:49 – Updated: 2026-07-08 17:35
VLAI
Summary
Nuxt: Reflected XSS in `navigateTo()` external redirect
Details

Summary

navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="…" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin.

This is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed javascript: protocol bypass. The issue here is triggered by any valid URL containing >.

Impact

Applications that pass user-controlled input to navigateTo(url, { external: true }) — typically via a ?next= / ?redirect= query parameter used for post-login or "return to" flows — are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application's origin during the server-rendered redirect response, before the meta-refresh fires.

Details

In packages/nuxt/src/app/composables/router.ts, the SSR redirect path builds an HTML response body with only " percent-encoded in the destination URL:

const encodedLoc = location.replace(/"/g, '%22')
nuxtApp.ssrContext!['~renderResponse'] = {
status: sanitizeStatusCode(options?.redirectCode || 302, 302),
body: `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head></html>`,
headers: { location: encodeURL(location, isExternalHost) },
}

The Location header is normalised through encodeURL() (which uses the URL constructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause.

Proof of concept

Global middleware that forwards a query parameter to navigateTo:

// middleware/redirect.global.ts
export default defineNuxtRouteMiddleware((to) => {
const next = to.query.next as string | undefined
if (next) {
 return navigateTo(next, { external: true })
}
})

Request:

GET /?next=https://evil.example/x><img src=x onerror=alert(document.domain)>

Response body:

<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0; url=https://evil.example/x><img src=x onerror=alert(document.domain)>"></head></html>

The > after evil.example/x terminates the content="…" attribute, and the <img onerror> tag executes JavaScript in the application's origin before any redirect occurs.

Patches

Fixed in nuxt@4.4.6 and nuxt@3.21.6 by #35052. The fix percent-encodes the full set of HTML-attribute-significant characters (&, ", ', <, >) before interpolating the URL into the meta-refresh body

Workarounds

If you can't upgrade immediately, validate user-controlled URLs before passing them to navigateTo(url, { external: true }). At minimum, normalise through new URL(input).toString() and reject inputs containing < or > (a normalised URL with these characters is malformed and safe to refuse).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.21.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.3"
            },
            {
              "fixed": "3.21.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "fixed": "4.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T15:49:25Z",
    "nvd_published_at": "2026-06-12T14:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n`navigateTo()` with `external: true` generates a server-side HTML redirect body containing a `\u003cmeta http-equiv=\"refresh\"\u003e` tag. The destination URL is only sanitized by replacing `\"` with `%22`, leaving `\u003c`, `\u003e`, `\u0026`, and `\u0027` unencoded. An attacker who can influence the URL passed to `navigateTo(url, { external: true })` can break out of the `content=\"\u2026\"` attribute and inject arbitrary HTML/JavaScript that executes under the application\u0027s origin.\n\nThis is a different root cause from CVE-2024-34343 (GHSA-vf6r-87q4-2vjf), which addressed `javascript:` protocol bypass. The issue here is triggered by any valid URL containing `\u003e`.\n\n### Impact\nApplications that pass user-controlled input to `navigateTo(url, { external: true })` \u2014 typically via a `?next=` / `?redirect=` query parameter used for post-login or \"return to\" flows \u2014 are vulnerable to reflected cross-site scripting. The injected script runs in the context of the application\u0027s origin during the server-rendered redirect response, before the meta-refresh fires.\n\n### Details\nIn `packages/nuxt/src/app/composables/router.ts`, the SSR redirect path builds an HTML response body with only `\"` percent-encoded in the destination URL:\n\n```ts\nconst encodedLoc = location.replace(/\"/g, \u0027%22\u0027)\nnuxtApp.ssrContext![\u0027~renderResponse\u0027] = {\nstatus: sanitizeStatusCode(options?.redirectCode || 302, 302),\nbody: `\u003c!DOCTYPE html\u003e\u003chtml\u003e\u003chead\u003e\u003cmeta http-equiv=\"refresh\" content=\"0; url=${encodedLoc}\"\u003e\u003c/head\u003e\u003c/html\u003e`,\nheaders: { location: encodeURL(location, isExternalHost) },\n}\n```\n\nThe `Location` header is normalised through `encodeURL()` (which uses the `URL` constructor and correctly percent-encodes attribute-significant characters). The HTML body uses a narrower sanitiser. That mismatch is the root cause.\n\n### Proof of concept\n\nGlobal middleware that forwards a query parameter to `navigateTo`:\n\n```ts\n// middleware/redirect.global.ts\nexport default defineNuxtRouteMiddleware((to) =\u003e {\nconst next = to.query.next as string | undefined\nif (next) {\n return navigateTo(next, { external: true })\n}\n})\n```\n\nRequest:\n\n```\nGET /?next=https://evil.example/x\u003e\u003cimg src=x onerror=alert(document.domain)\u003e\n```\n\nResponse body:\n\n```html\n\u003c!DOCTYPE html\u003e\u003chtml\u003e\u003chead\u003e\u003cmeta http-equiv=\"refresh\" content=\"0; url=https://evil.example/x\u003e\u003cimg src=x onerror=alert(document.domain)\u003e\"\u003e\u003c/head\u003e\u003c/html\u003e\n```\n\nThe `\u003e` after `evil.example/x` terminates the `content=\"\u2026\"` attribute, and the `\u003cimg onerror\u003e` tag executes JavaScript in the application\u0027s origin before any redirect\noccurs.\n\n### Patches\nFixed in `nuxt@4.4.6` and `nuxt@3.21.6` by [#35052](https://github.com/nuxt/nuxt/pull/35052). The fix percent-encodes the full set of HTML-attribute-significant characters (`\u0026`, `\"`, `\u0027`, `\u003c`, `\u003e`) before interpolating the URL into the meta-refresh body\n\n### Workarounds\nIf you can\u0027t upgrade immediately, validate user-controlled URLs before passing them to `navigateTo(url, { external: true })`. At minimum, normalise through `new URL(input).toString()` and reject inputs containing `\u003c` or `\u003e` (a normalised URL with these characters is malformed and safe to refuse).",
  "id": "GHSA-fx6j-w5w5-h468",
  "modified": "2026-07-08T17:35:00Z",
  "published": "2026-05-19T15:49:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-fx6j-w5w5-h468"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45669"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/pull/35052"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nuxt: Reflected XSS in `navigateTo()` external redirect"
}

GHSA-H7R6-9754-JPV8

Vulnerability from github – Published: 2023-08-04 00:30 – Updated: 2024-04-04 06:32
VLAI
Details

A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed.

This defect was resolved with the release of Foundry Frontend 6.225.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-83"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-03T22:15:12Z",
    "severity": "MODERATE"
  },
  "details": "A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry\u0027s CSP were to be bypassed.\n\nThis defect was resolved with the release of Foundry Frontend 6.225.0.\n\n",
  "id": "GHSA-h7r6-9754-jpv8",
  "modified": "2024-04-04T06:32:32Z",
  "published": "2023-08-04T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30958"
    },
    {
      "type": "WEB",
      "url": "https://palantir.safebase.us/?tcuUid=5764b094-d3c0-4380-90f2-234f36116c9b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M2JW-CJ8V-937R

Vulnerability from github – Published: 2025-02-26 20:06 – Updated: 2025-02-26 20:06
VLAI
Summary
copyparty renders unsanitized filenames as HTML when user uploads empty files
Details

Summary

A DOM-Based XSS was discovered in copyparty, a portable fileserver. The vulnerability is considered low-risk.

Details

By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes).

Note: As a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in <script> tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened.

Proof of Concept (POC)

  1. Create an empty file named <img src=x onerror="alert(1)">
  2. Drag-and-drop the file into the browser to initiate an upload
  3. The alert(1) is executed
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "copyparty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-26T20:06:56Z",
    "nvd_published_at": "2025-02-25T02:15:16Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nA [DOM-Based XSS](https://capec.mitre.org/data/definitions/588.html) was discovered in [copyparty](https://github.com/9001/copyparty), a portable fileserver. The vulnerability is considered low-risk.\n\n## Details\n\nBy handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty\u0027s Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes).\n\nNote: As a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in `\u003cscript\u003e` tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened.\n\n## Proof of Concept (POC)\n\n1. Create an empty file named `\u003cimg src=x onerror=\"alert(1)\"\u003e`\n2. Drag-and-drop the file into the browser to initiate an upload\n3. The `alert(1)` is executed",
  "id": "GHSA-m2jw-cj8v-937r",
  "modified": "2025-02-26T20:06:56Z",
  "published": "2025-02-26T20:06:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/security/advisories/GHSA-m2jw-cj8v-937r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/commit/438ea6ccb06f39d7cbb4b6ee7ad44606e21a63dd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/9001/copyparty"
    },
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/releases/tag/v1.16.15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "copyparty renders unsanitized filenames as HTML when user uploads empty files"
}

GHSA-RHJ6-R49H-5932

Vulnerability from github – Published: 2026-06-18 15:04 – Updated: 2026-06-18 15:04
VLAI
Summary
Kirby: Self cross-site scripting (self-XSS) in the writer field
Details

TL;DR

This vulnerability affects Kirby sites that use the writer field in any blueprint.

It was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it.

A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack cannot be automated.

In Kirby's default configuration, the vulnerability is limited to self-XSS and cannot directly affect other users or visitors of the site. Panel plugins that are directly using the <k-writer> component may also be affected by stored XSS if they don't sanitize the resulting HTML before saving it to the content.

This vulnerability is of high severity for affected sites.


Introduction

Cross-site scripting (XSS) is a type of vulnerability that allows attackers to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can, for example, trigger requests to Kirby's API with the permissions of the victim.

Self cross-site scripting (self-XSS) typically involves a user inadvertently executing malicious code within their own context, often through social engineering techniques. This can occur when a user is tricked into pasting and executing malicious JavaScript code into the browser's developer console, address bar or form fields.

In a stored XSS attack, the malicious payload is saved into the content data and has the potential to affect other users or site visitors.

Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.

Affected components

The writer field allows users to input formatted text, including links to arbitrary URLs and email addresses. Its link and email marks are therefore a target for XSS attacks.

As the vulnerability is in the writer mark components, it also affects all uses of the <k-writer> component in Panel plugins.

Impact

In affected releases, the link and email marks did not prevent XSS payloads from being submitted to the writer field's content data:

  • The link mark allowed users to enter JavaScript URLs using the "custom" URL type. These URLs would already be sanitized by the backend before storing the malicious link in the content file. However, the link may be clicked by the same user who entered it before the content is saved.
  • The email mark was also vulnerable to injected JavaScript URLs. However, it was not possible to perform the attack via the Panel user interface due to email validation. The attack needed to be performed via a side channel such as the browser console.

The vulnerability allows attackers to inject malicious links into content. If the authenticated user clicked such a link before saving the content, the malicious script code would then be executed in their browser.

Patches

The problem has been patched in Kirby 4.9.4 and Kirby 5.4.4. Please update to one of these or a later version to fix the vulnerability.

In all of the mentioned releases, we have added more robust validation against dangerous URL schemes that are entered in the affected writer marks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.9.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.4.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "getkirby/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-alpha.1"
            },
            {
              "fixed": "5.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T15:04:41Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### TL;DR\n\nThis vulnerability affects Kirby sites that use the writer field in any blueprint.\n\nIt was possible to include a scripting link as the target of a link (or email link). This link target would then be clickable by the user who entered it.\n\nA successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated.\n\nIn Kirby\u0027s default configuration, the vulnerability is limited to self-XSS and *cannot* directly affect other users or visitors of the site. Panel plugins that are directly using the `\u003ck-writer\u003e` component may also be affected by stored XSS if they don\u0027t sanitize the resulting HTML before saving it to the content.\n\n**This vulnerability is of high severity for affected sites.**\n\n----\n\n### Introduction\n\nCross-site scripting (XSS) is a type of vulnerability that allows attackers to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can, for example, trigger requests to Kirby\u0027s API with the permissions of the victim.\n\n*Self* cross-site scripting (self-XSS) typically involves a user inadvertently executing malicious code within their own context, often through social engineering techniques. This can occur when a user is tricked into pasting and executing malicious JavaScript code into the browser\u0027s developer console, address bar or form fields.\n\nIn a *stored* XSS attack, the malicious payload is saved into the content data and has the potential to affect other users or site visitors.\n\nSuch vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.\n\n### Affected components\n\nThe `writer` field allows users to input formatted text, including links to arbitrary URLs and email addresses. Its `link` and `email` marks are therefore a target for XSS attacks.\n\nAs the vulnerability is in the writer mark components, it also affects all uses of the `\u003ck-writer\u003e` component in Panel plugins.\n\n### Impact\n\nIn affected releases, the `link` and `email` marks did not prevent XSS payloads from being submitted to the writer field\u0027s content data:\n\n- The `link` mark allowed users to enter JavaScript URLs using the \"custom\" URL type. These URLs would already be sanitized by the backend before storing the malicious link in the content file. However, the link may be clicked by the same user who entered it before the content is saved.\n- The `email` mark was also vulnerable to injected JavaScript URLs. However, it was not possible to perform the attack via the Panel user interface due to email validation. The attack needed to be performed via a side channel such as the browser console.\n\nThe vulnerability allows attackers to inject malicious links into content. If the authenticated user clicked such a link before saving the content, the malicious script code would then be executed in their browser.\n\n### Patches\n\nThe problem has been patched in [Kirby 4.9.4](https://github.com/getkirby/kirby/releases/tag/4.9.4) and [Kirby 5.4.4](https://github.com/getkirby/kirby/releases/tag/5.4.4). Please update to one of these or a [later version](https://github.com/getkirby/kirby/releases) to fix the vulnerability.\n\nIn all of the mentioned releases, we have added more robust validation against dangerous URL schemes that are entered in the affected writer marks.",
  "id": "GHSA-rhj6-r49h-5932",
  "modified": "2026-06-18T15:04:41Z",
  "published": "2026-06-18T15:04:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/security/advisories/GHSA-rhj6-r49h-5932"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getkirby/kirby"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/4.9.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getkirby/kirby/releases/tag/5.4.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kirby: Self cross-site scripting (self-XSS) in the writer field"
}

GHSA-VF6R-87Q4-2VJF

Vulnerability from github – Published: 2024-08-05 19:49 – Updated: 2025-05-15 21:26
VLAI
Summary
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR
Details

Summary

The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies.

Details

The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol.

After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/"" for all values.

Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing.

The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks.

Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks.

PoC

POC - https://stackblitz.com/edit/nuxt-xss-navigateto?file=app.vue

Attempt payload X, then attempt payload Y.

Impact

XSS, access to cookies, make requests on user's behalf.

Recommendations

As always with these bugs, the URL constructor provided by the browser is always the safest method of parsing a URL.

Given the cross-platform requirements of nuxt/ufo a more appropriate solution is to make parsing consistent between functions, and to adapt parsing to be more consistent with the WHATWG URL specification.

Note

I've reported this vulnerability here as it is unclear if this is a bug in ufo or a misuse of the ufo library.

This ONLY has impact after SSR has occurred, the javascript: protocol within a location header does not trigger XSS.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nuxt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-05T19:49:22Z",
    "nvd_published_at": "2024-08-05T21:15:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API\u0027s provided by `unjs/ufo`. This library also contains parsing discrepancies.\n\n### Details\nThe function first tests to see if the specified [URL has a protocol](https://github.com/nuxt/nuxt/blob/fa9d43753d25fc2e8c3107f194b2bab6d4ebcb9a/packages/nuxt/src/app/composables/router.ts#L142). This uses the [unjs/ufo](https://github.com/unjs/ufo) package for URL parsing. This function works effectively, and returns true for a `javascript:` protocol.\n\nAfter this, the URL is parsed using the [`parseURL`](https://github.com/unjs/ufo/blob/e970686b2acae972136f478732450f6a2f1ab5e5/src/parse.ts#L47) function. This function will refuse to parse poorly formatted URLs. Parsing `javascript:alert(1)` returns null/\"\" for all values. \n\nNext, the protocol of the URL is then checked using the [`isScriptProtocol`](https://github.com/unjs/ufo/blob/e970686b2acae972136f478732450f6a2f1ab5e5/src/utils.ts#L74) function. This function simply checks the input against a list of protocols, and does not perform any parsing. \n\nThe combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the `parseURL` implementation, bypassing the `isScriptProtocol` checks. \n\nCertain special protocols are identified at the top of [`parseURL`](https://github.com/unjs/ufo/blob/e970686b2acae972136f478732450f6a2f1ab5e5/src/parse.ts#L49). Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks. \n\n### PoC\nPOC - https://stackblitz.com/edit/nuxt-xss-navigateto?file=app.vue\n\nAttempt payload X, then attempt payload Y.\n\n### Impact\nXSS, access to cookies, make requests on user\u0027s behalf. \n\n### Recommendations\nAs always with these bugs, the `URL` constructor provided by the browser is always the safest method of parsing a URL. \n\nGiven the cross-platform requirements of nuxt/ufo a more appropriate solution is to make parsing consistent between functions, and to adapt parsing to be more consistent with the [WHATWG URL specification](https://url.spec.whatwg.org/).\n\n### Note\nI\u0027ve reported this vulnerability here as it is unclear if this is a bug in ufo or a misuse of the ufo library.\n\nThis ONLY has impact after SSR has occurred, the `javascript:` protocol within a location header does not trigger XSS.",
  "id": "GHSA-vf6r-87q4-2vjf",
  "modified": "2025-05-15T21:26:45Z",
  "published": "2024-08-05T19:49:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-vf6r-87q4-2vjf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34343"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nuxt/nuxt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR"
}

Mitigation
Implementation

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Mitigation MIT-30.1
Implementation

Strategy: Output Encoding

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
Implementation

With Struts, write all data from form beans with the bean's filter attribute set to true.

Mitigation MIT-31
Implementation

Strategy: Attack Surface Reduction

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CAPEC-243: XSS Targeting HTML Attributes

An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.

CAPEC-244: XSS Targeting URI Placeholders

An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.

CAPEC-588: DOM-Based XSS

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users.