Server Side Code Injection - ASP Code Injection
- Risk:
High
- Type:
- Active
- CWE:
- CWE-94
- Summary
A code injection may be possible including custom code that will be evaluated by the scripting engine
- Solution
Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side and escape all data received from the client. Avoid the use of eval() functions combined with user input data.
- References
https://cwe.mitre.org/data/definitions/94.html
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices
Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign
Windows 11 updates break localhost (127.0.0.1) HTTP/2 connections
Auction giant Sotheby’s says data breach exposed financial information
Have I Been Pwned: Prosper data breach impacts 17.6 million accounts
Hackers exploit Cisco SNMP flaw to deploy rootkit on switches
“Perfect” Adobe Experience Manager vulnerability is being exploited (CVE-2025-54253)
CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
CVE-2017-3881 Cisco IOS and IOS XE Remote Code Execution Vulnerability
CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability
CWE-1096 Singleton Class Instance Creation without Proper Locking or Synchronization
CWE-527 Exposure of Version-Control Repository to an Unauthorized Control Sphere
CWE-688 Function Call With Incorrect Variable or Reference as Argument
CWE-792 Incomplete Filtering of One or More Instances of Special Elements
HighCWE-650 Trusting HTTP Permission Methods on the Server Side
CWE-1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)
Free online web security scanner