Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Property
Language
Severity
CWE	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
OWASP	A03:2021 - Injection
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description#

The code is using functions like eval(), new Function(), setTimeout(), or setInterval() to execute JavaScript code that includes user input from the browser’s URL (such as query parameters or hash). This allows attackers to inject malicious scripts if they can control that input.

Impact#

If exploited, an attacker could execute arbitrary JavaScript in the user’s browser, leading to Cross-Site Scripting (XSS). This can result in data theft, account compromise, or unauthorized actions performed on behalf of users, putting both user data and application security at risk.

Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)

Description#

Impact#