Improper Sanitization of Script in Attributes of IMG Tags in a Web Page
Weakness ID: 82 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The web application does not filter or incorrectly filters scripting elements within attributes of HTML IMG tags, such as the src attribute.

Extended Description

Attackers can embed XSS exploits into the values for IMG attributes (e.g. SRC) that is streamed and then executed in a victim's browser. Note that when the page is loaded into a user's browsers, the exploit will automatically execute.

+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Observed Examples
CVE-2006-3211Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.
CVE-2002-1649javascript URI scheme in IMG tag.
CVE-2002-1803javascript URI scheme in IMG tag.
CVE-2002-1804javascript URI scheme in IMG tag.
CVE-2002-1805javascript URI scheme in IMG tag.
CVE-2002-1806javascript URI scheme in IMG tag.
CVE-2002-1807javascript URI scheme in IMG tag.
CVE-2002-1808javascript URI scheme in IMG tag.
+ Potential Mitigations

see the vulnerability category "Cross-site scripting (XSS)"

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness VariantWeakness Variant83Failure to Sanitize Script in Attributes in a Web Page
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERScript in IMG tags
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
18Embedding Scripts in Nonscript Elements
91XSS in IMG Tags
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
2009-10-29CWE Content TeamMITREInternal
updated Relationships
2009-12-28CWE Content TeamMITREInternal
updated Observed Examples
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Script in IMG Tags
2009-05-27Failure to Sanitize Script in Attributes of IMG Tags in a Web Page