Details |
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The software allows untrusted input to be fed directly into a function (e.g. "eval") that dynamically evaluates and executes the input as code, usually in the same interpreted language that the product uses.
Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.