Server Side Code Injection - ASP Code Injection
- Risk:
High
- Type:
- Active
- CWE:
- CWE-94
- Summary
A code injection may be possible including custom code that will be evaluated by the scripting engine
- Solution
Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side and escape all data received from the client. Avoid the use of eval() functions combined with user input data.
- References
https://cwe.mitre.org/data/definitions/94.html
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
AWS outage crashes Amazon, Prime Video, Fortnite, Perplexity and more
Oracle silently fixes zero-day exploit leaked by ShinyHunters
CISA: High-severity Windows SMB flaw now exploited in attacks
Hard-coded credentials found in Moxa industrial security appliances, routers (CVE-2025-6950)
CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw
Hackers exploiting critical "SessionReaper" flaw in Adobe Magento
Microsoft releases urgent fix for actively exploited WSUS vulnerability (CVE-2025-59287)
Over 75,000 WatchGuard security devices vulnerable to critical RCE
Russian hackers evolve malware pushed in "I am not a robot" captchas
PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
CVE-2007-0671 Microsoft Office Excel Remote Code Execution Vulnerability
InformationalUser Controllable HTML Element Attribute (Potential XSS)
LowServer Leaks Version Information via "Server" HTTP Response Header Field
LowInsufficient Site Isolation Against Spectre Vulnerability
InformationalStorable and Cacheable Content
LowInformation Disclosure - Debug Error Messages via WebSocket
LowStrict-Transport-Security Malformed Content (Non-compliant with Spec)
MediumVulnerable JS Library
MediumXSLT Injection
InformationalStorable but Non-Cacheable Content
Free online web security scanner