Misbehaviour LossOfExtrinsic-XS-TW

URI: LossOfExtrinsic-XS-TW

Description: Discovery by potential attackers of a vulnerability in a service whose exploitation would allow injection of malicious scripts into a client process.

This misbehaviour affects the trustworthiness attribute Extrinsic-XS-TW

Process

Represents a process (usually implemented by software running on a Host) that can read, update or create data, or exchange data with other processes.

P.E-XS.HP-iT.8

Vulnerability (XS) discovered at Process: software vulnerability found in process Process, which could allow a cross-site scripting attack on a client, and may be known to attackers. Around 14 percent of vulnerabilities relate to cross site scripting, including 32 percent of vulnerabilities relating to medium complexity exploits (NVD 2015-2019).

(empty)

CC.AuC.DFrXSS.3

Reflected XSS exploit on Client via Service injected via client input Data from FlowsFrom: an attacker who can inject malicious content into input Data flowing to Client from FlowsFrom can exploit a bug in Service to send a harmful script to the client browser. We assume this will make the browser leak authentication credentials, such as a password or session key.

CC.AuC.DFsXSS.3

Stored XSS exploit against Client by Service injected via input Data from FlowsFrom: an attacker who can inject malicious content into input Data flowing to Service from FlowsFrom can exploit a bug in Service, and send a harmful script to a trusting client browser Client. We assume this will make the browser leak authentication credentials, such as a password or session key.

CC.AuC.DSrXSS.3

Reflected XSS exploit on Client from Service injected via locally stored client input Data: an attacker who can inject malicious content into locally stored input Data used by Client can exploit a bug in Service and send a harmful script to the client browser. We assume this will make the browser leak authentication credentials, such as a password or session key.

CC.AuC.DSsXSS.3

Stored XSS exploit from Service against Client: an attacker who can inject malicious content into service input Data stored on SHost can exploit a bug in Service, and send a harmful script to a trusting client browser Client. We assume this will make the browser leak authentication credentials, such as a password or session key.

P.A.HuDFrXSS.6

Service Service disabled to prevent XSS attack on Client via its input Data from FlowsFrom: if service Service is disabled by HostManager to prevent XSS attacks using malicious content injected via Data from FlowsFrom, this will make the service unavailable.

P.A.HuDFsXSS.6

Service Service disabled to prevent XSS attack on Client injected via input Data from FlowsFrom: if service Service is disabled to prevent XSS attacks on Client injected via input Data from FlowsFrom, then Service will be unavailable.

P.A.HuDSrXSS.6

Service Service disabled to prevent XSS attack on Client via its input Data: if service Service is disabled to prevent XSS attacks using malicious content injected via locally stored inpuut Data, this will make the service unavailable.

P.A.HuDSsXSS.6

Service Service disabled to prevent XSS attack on Client injected via local input Data: if service Service is disabled to prevent XSS attacks on Client injected via input Data, then Service will be unavailable.