Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Using backticks in PHP executes the enclosed string as a shell command. If user input is included in this string, it can allow attackers to run arbitrary commands on your server.
Impact#
Exploiting this vulnerability could let attackers execute malicious system commands, potentially leading to data theft, server compromise, or a complete takeover of the application environment.