CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
ID
CWE-95
Abstraction
Variant
Structure
Simple
Status
Incomplete
Number of CVEs
60
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.
Modes of Introduction
Phase | Note |
---|---|
Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Implementation | This weakness is prevalent in handler/dispatch procedures that might want to invoke a large number of functions, or set a large number of variables. |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | Java | ||
Language | JavaScript | ||
Language | Python | ||
Language | Perl | ||
Language | PHP | ||
Language | Ruby | ||
Language | Interpreted | ||
Technology | AI/ML |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.orgCVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |
Loading...