Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
User-controlled or dynamic input is being passed directly to the otto VM’s Run function, allowing untrusted scripts to be executed. This exposes your code to code injection risks if input isn’t properly validated or sanitized.
Impact#
If exploited, an attacker could run arbitrary JavaScript code within your application’s context, potentially leading to data theft, service disruption, or full system compromise. This could allow them to bypass security controls, access sensitive data, or execute further attacks.