Code Security Finding: Cross-Site Scripting (CWE-79, High Severity) in AbstractServlet.java:94

[joshn-whitesource-app]

Code Security Finding

This finding was first detected on 2024-02-07 12:17am GMT and is still present in the last scan performed on 2024-02-15 10:26pm GMT:

Severity	Vulnerability Type	CWE	File	Data Flows
High	Cross-Site Scripting	CWE-79	AbstractServlet.java:94	12
Vulnerable Code easybuggy/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java Lines 89 to 94 in b9f2abf writer.write("</td>"); } writer.write("</tr>"); writer.write("</table>"); writer.write("<hr style=\"margin-top:0px\">"); writer.write(htmlBody); 12 Data Flow/s detected View Data Flow 1 easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java Line 21 in b9f2abf String strNumber = req.getParameter("number"); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java Line 31 in b9f2abf "<input type=\"text\" name=\"number\" size=\"1\" maxlength=\"1\" value=" + strNumber + ">"); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java Line 30 in b9f2abf bodyHtml.append( easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java Line 44 in b9f2abf responseToClient(req, res, getMsg("title.truncationerror.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java Line 44 in b9f2abf responseToClient(req, res, getMsg("title.truncationerror.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java Line 44 in b9f2abf responseToClient(req, res, getMsg("title.truncationerror.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java Line 31 in b9f2abf protected void responseToClient(HttpServletRequest req, HttpServletResponse res, String htmlTitle, String htmlBody) { easybuggy/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java Line 94 in b9f2abf writer.write(htmlBody); View Data Flow 2 easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java Line 22 in b9f2abf String strNumber = req.getParameter("number"); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java Line 30 in b9f2abf bodyHtml.append("<input type=\"text\" name=\"number\" size=\"1\" maxlength=\"1\" value=" + strNumber + ">"); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java Line 30 in b9f2abf bodyHtml.append("<input type=\"text\" name=\"number\" size=\"1\" maxlength=\"1\" value=" + strNumber + ">"); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java Line 43 in b9f2abf responseToClient(req, res, getMsg("title.roundofferror.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java Line 43 in b9f2abf responseToClient(req, res, getMsg("title.roundofferror.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java Line 43 in b9f2abf responseToClient(req, res, getMsg("title.roundofferror.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java Line 31 in b9f2abf protected void responseToClient(HttpServletRequest req, HttpServletResponse res, String htmlTitle, String htmlBody) { easybuggy/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java Line 94 in b9f2abf writer.write(htmlBody); View Data Flow 3 easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java Line 27 in b9f2abf String pingURL = req.getParameter("pingurl"); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java Line 42 in b9f2abf bodyHtml.append("<td>" + pingURL + "</td></tr>"); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java Line 42 in b9f2abf bodyHtml.append("<td>" + pingURL + "</td></tr>"); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java Line 54 in b9f2abf responseToClient(req, res, getMsg("title.netsocketleak.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java Line 54 in b9f2abf responseToClient(req, res, getMsg("title.netsocketleak.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java Line 54 in b9f2abf responseToClient(req, res, getMsg("title.netsocketleak.page", locale), bodyHtml.toString()); easybuggy/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java Line 31 in b9f2abf protected void responseToClient(HttpServletRequest req, HttpServletResponse res, String htmlTitle, String htmlBody) { easybuggy/src/main/java/org/t246osslab/easybuggy/core/servlets/AbstractServlet.java Line 94 in b9f2abf writer.write(htmlBody); View more Data Flows Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior Cross-Site Scripting Video 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk