Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Using mb_ereg_replace with user-controlled input in the options parameter is dangerous because the ’e’ (eval) modifier can cause PHP to execute arbitrary code from the replacement string. This allows attackers to run malicious commands if they control the input.
Impact#
If exploited, an attacker could execute arbitrary PHP code on your server, leading to data theft, server compromise, or a complete takeover of your application. This puts sensitive data and system integrity at significant risk.