Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | High |
Description#
User-supplied data from request variables is passed directly to PHP functions that execute system commands without proper sanitization. This allows attackers to inject and run arbitrary commands on the server.
Impact#
If exploited, attackers could execute malicious commands, access or modify sensitive data, disrupt server operations, or gain full control over the affected system. This can lead to data breaches, service outages, and severe compromise of the application’s integrity and security.