VYPR

CWE-692

Incomplete Denylist to Cross-Site Scripting

CompoundDraft

Description

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

While XSS might seem simple to prevent, web browsers vary so widely in how they parse web pages, that a denylist cannot keep track of all the variations. The "XSS Cheat Sheet" [REF-714] contains a large number of attacks that are intended to bypass incomplete denylists.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-120 · CAPEC-267 · CAPEC-71 · CAPEC-80 · CAPEC-85

CVEs mapped to this weakness (4)

  • CVE-2025-20240MedSep 24, 2025
    risk 0.40cvss 6.1epss 0.00

    A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected device. This vulnerability is due to improper sanitization of user-supplied…

  • CVE-2025-53904LowJul 16, 2025
    risk 0.08cvss epss 0.00

    The Scratch Channel is a news website that is under development as of time of this writing. The file `/api/admin.js` contains code that could make the website vulnerable to cross-site scripting. No known patches exist as of time of publication.

  • CVE-2024-52305Nov 13, 2024
    risk 0.00cvss epss 0.00

    UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. A vulnerability exists in the Create User process, allowing the creation of a new admin account with an option to upload a profile image. An attacker can upload a malicious SVG…

  • CVE-2023-26047Mar 3, 2023
    risk 0.00cvss epss 0.01

    teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and…