SYM_JSTS_0092 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Property Value
Language javascript
Severity medium
CWE CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
OWASP A03:2021 - Injection
Confidence Level Medium
Impact Level Medium
Likelihood Level Medium

Description

The code is using functions like eval(), new Function(), setTimeout(), or setInterval() to execute JavaScript code that includes user input from the browser’s URL (such as query parameters or hash). This allows attackers to inject malicious scripts if they can control that input.

Impact

If exploited, an attacker could execute arbitrary JavaScript in the user's browser, leading to Cross-Site Scripting (XSS). This can result in data theft, account compromise, or unauthorized actions performed on behalf of users, putting both user data and application security at risk.