CWE
Home > CWE List > CWE-82 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-82 Individual Dictionary Definition (Draft 9)

Failure to Sanitize Script in Attributes of IMG Tags in a Web Page
Weakness ID
Status: Incomplete

82 (Weakness Variant)

Description

Summary

A Web application that trusts input in the form of HTML IMG tags is potentially vulnerable to XSS attacks. Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim's browser. Note that when the page is loaded into a user's browsers, the exploit will automatically execute.

Potential Mitigations

see the vulnerability category "Cross-site scripting (XSS)"

Observed Examples
ReferenceDescription
CVE-2002-1649javascript URI scheme in IMG tag.
CVE-2002-1803javascript URI scheme in IMG tag.
CVE-2002-1804javascript URI scheme in IMG tag.
CVE-2002-1805javascript URI scheme in IMG tag.
CVE-2002-1806javascript URI scheme in IMG tag.
CVE-2002-1807javascript URI scheme in IMG tag.
CVE-2002-1808javascript URI scheme in IMG tag.
Relationships
NatureTypeIDName
ChildOfWeakness BaseWeakness BaseWeakness Base79Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
Source Taxonomies

PLOVER - Script in IMG tags

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
18Embedding Scripts in Nonscript Elements
91XSS in IMG Tags
Back to top
Page Last Updated: April 22, 2008
 

CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us