143 – Inappropriate coding practices - Eval function

Description

The eval function is used with the input of request data, such as url params or request headers, this data is not properly validated and can lead to statements being injected to execute commands on the server.

Impact

- Execute commands on the server. - Send expressions that saturate the server.

Recommendation

Perform validations over user data entry.

Threat

Attacker authenticated from the Internet.

Expected Remediation Time

120 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 266 - Disable insecure functionalities

Fixes

• Csharp
• Dart
• Go
• Java
• Php
• Python
• Scala
• Typescript

Last updated

2024/02/14