Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code executes system commands using functions like exec(), system(), or shell_exec() with input that isn’t a fixed string. This means user-controlled data could be passed directly to the command line, leading to insecure execution.
Impact#
If exploited, an attacker could execute arbitrary commands on the server, potentially gaining full control, accessing sensitive data, or disrupting system operations. This could lead to data breaches, server compromise, or service outages.