← Back to Findings

info User Controllable HTML Element Attribute (Potential XSS)

Details

Severityinfo
StatusOpen
Enginezap
Target URLhttps://easm.liifecore.com/technologies/detail?name=Chart.js&version=4.4.7
First Seen2026-07-14 03:00:20 UTC
Last Seen2026-07-14 03:00:20 UTC
CWECWE-20

Description

This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.

Evidence

User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:

https://easm.liifecore.com/technologies/detail?name=Chart.js&version=4.4.7

appears to include user input in:
a(n) [input] tag [value] attribute

The user input found was:
name=Chart.js

The user-controlled value was:
chart.js

Raw Output

{
  "alert": "User Controllable HTML Element Attribute (Potential XSS)",
  "alertRef": "10031",
  "attack": "",
  "confidence": "Low",
  "cweid": "20",
  "description": "This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.",
  "evidence": "",
  "id": "448",
  "inputVector": "",
  "messageId": "362",
  "method": "GET",
  "name": "User Controllable HTML Element Attribute (Potential XSS)",
  "other": "User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:\n\nhttps://easm.liifecore.com/technologies/detail?name=Chart.js\u0026version=4.4.7\n\nappears to include user input in:\na(n) [input] tag [value] attribute\n\nThe user input found was:\nname=Chart.js\n\nThe user-controlled value was:\nchart.js",
  "param": "name",
  "pluginId": "10031",
  "reference": "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html",
  "risk": "Informational",
  "solution": "Validate all input and sanitize output it before writing to any HTML attributes.",
  "sourceMessageId": 362,
  "sourceid": "3",
  "tags": {
    "CWE-20": "https://cwe.mitre.org/data/definitions/20.html",
    "OWASP_2017_A01": "https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html",
    "OWASP_2021_A03": "https://owasp.org/Top10/A03_2021-Injection/",
    "POLICY_PENTEST": ""
  },
  "url": "https://easm.liifecore.com/technologies/detail?name=Chart.js\u0026version=4.4.7",
  "wascid": "20"
}

Update Status