Skip to content

[Precogs Alert] Cross-Site Scripting (XSS) detected (CWE-79, Risk: High)

Vulnerability Details

  • File Path: assets/js/script.js
  • Vulnerability Type: Cross-Site Scripting (XSS)
  • Risk Level: High

Explanation:
The code directly injects untrusted data from the JSON file (procedure.type, procedure.title, procedure.description, procedure.link) into the DOM using innerHTML. If an attacker can modify the config.json file or if the file is fetched from an untrusted source, they could inject malicious HTML or JavaScript code. This would result in a stored or reflected Cross-Site Scripting (XSS) vulnerability, allowing arbitrary script execution in the context of the user’s browser. For example, if procedure.title contains , this would execute JavaScript when the page is loaded. The use of innerHTML with untrusted data is a well-known XSS vector.

attackScenario: An attacker gains write access to the config.json file (e.g., via a supply chain compromise, misconfigured server, or insider threat) and injects a payload such as {"title": "<img src=x onerror=alert('XSS')>", ...}. When a user loads the page, the malicious code executes in their browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user.

potentialImpact: Confidentiality (theft of sensitive data), Integrity (modification of page content or actions), and Availability (potential for defacement or denial of service via script injection).

Please investigate and resolve this issue to maintain code security and quality.