Improper Control of Generation of Code (‘Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The application allows user input to directly define or control which callable functions are executed. This means attackers can influence which code runs, leading to unsafe and unpredictable behavior.
Impact#
If exploited, an attacker could execute arbitrary PHP code on the server, potentially taking full control of the application, accessing sensitive data, or compromising the server. This can lead to data breaches, service disruption, or further attacks against your infrastructure.