info User Controllable HTML Element Attribute (Potential XSS)
Details
| Severity | info |
|---|---|
| Status | Open |
| Engine | zap |
| Target URL | https://easm.liifecore.com/technologies/detail?name=Chart.js&version=4.4.7 |
| First Seen | 2026-07-14 03:00:20 UTC |
| Last Seen | 2026-07-14 03:00:20 UTC |
| CWE | CWE-20 |
Description
This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.
Evidence
User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: https://easm.liifecore.com/technologies/detail?name=Chart.js&version=4.4.7 appears to include user input in: a(n) [input] tag [value] attribute The user input found was: name=Chart.js The user-controlled value was: chart.js
Raw Output
{
"alert": "User Controllable HTML Element Attribute (Potential XSS)",
"alertRef": "10031",
"attack": "",
"confidence": "Low",
"cweid": "20",
"description": "This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.",
"evidence": "",
"id": "448",
"inputVector": "",
"messageId": "362",
"method": "GET",
"name": "User Controllable HTML Element Attribute (Potential XSS)",
"other": "User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:\n\nhttps://easm.liifecore.com/technologies/detail?name=Chart.js\u0026version=4.4.7\n\nappears to include user input in:\na(n) [input] tag [value] attribute\n\nThe user input found was:\nname=Chart.js\n\nThe user-controlled value was:\nchart.js",
"param": "name",
"pluginId": "10031",
"reference": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html",
"risk": "Informational",
"solution": "Validate all input and sanitize output it before writing to any HTML attributes.",
"sourceMessageId": 362,
"sourceid": "3",
"tags": {
"CWE-20": "https://cwe.mitre.org/data/definitions/20.html",
"OWASP_2017_A01": "https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html",
"OWASP_2021_A03": "https://owasp.org/Top10/A03_2021-Injection/",
"POLICY_PENTEST": ""
},
"url": "https://easm.liifecore.com/technologies/detail?name=Chart.js\u0026version=4.4.7",
"wascid": "20"
}