SYM_GEN_0043 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using spring:eval with dynamic expressions can allow untrusted data to be executed as code. If user input is not properly filtered, attackers might inject malicious expressions into your JSP pages.
Impact
If exploited, an attacker could execute arbitrary code on the server, compromise sensitive data, or alter application behavior. This can lead to data breaches, unauthorized access, or complete system compromise.