SYM_JSTS_0120 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Property Value
Language javascript
Severity medium
CWE CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
OWASP A03:2021 - Injection
Confidence Level Low
Impact Level High
Likelihood Level Medium

Description

Using eval() or Function() to execute code from strings can allow attackers to inject and run malicious JavaScript if any part of the input is user-controlled. This practice makes your application vulnerable to code injection.

Impact

If exploited, an attacker could execute arbitrary code on your server or within your application, leading to data theft, service disruption, or further compromise of your system. This could result in loss of sensitive information, unauthorized actions, or complete takeover of the application.