Threat 1 -
Vulnerability Details - Cross-site scripting (DOM-based)
DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.
DOM-based cross-site scripting arises when a script writes controllable data into the HTML document in an unsafe way
Impact details -
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Recommended Mitigation -
The most effective way to avoid DOM-based cross-site scripting vulnerabilities is not to dynamically write data from any untrusted source into the HTML document.
In many cases, the relevant data can be validated on a whitelist basis, to allow only content that is known to be safe.
In other cases, it will be necessary to sanitize or encode the data.
Threat 2 -
Threat Details - This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.
Vulnerability Details - Cookie without HttpOnly flag set
Session cookie doesn't have the HTTPOnly flag set.
Affected URLs -
There are 39 instances of this issue: