Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Passing user-controlled input directly to Razor.Parse allows attackers to inject and execute malicious code within the server application. This occurs when untrusted data is used to generate or render Razor templates without proper validation or sanitization.
Impact#
If exploited, attackers can execute arbitrary code on the server, potentially gaining full control over the application and its data. This can lead to data breaches, system compromise, and unauthorized access to sensitive resources.