Description
This script is vulnerable to Server-side JavaScript injection.The user input appears to be placed into a dynamically evaluated JavaScript statement, allowing an attacker to execute arbitrary Server-side Javascript code.
Remediation
Avoid creating JavaScript commands by concatenating script with user input. Avoid use of the Javascript eval command. In particular, when parsing JSON input, use a safer alternative such as JSON.parse.
References
Related Vulnerabilities
Oracle WebLogic Remote Code Execution (CVE-2020-14882)
Unauthenticated Remote Code Execution via JSONWS in Liferay 7.2.0 CE GA1
TYPO3 Improper Input Validation Vulnerability (CVE-2010-3716)
PHP 4.3.0 file disclosure and possible code execution
SharePoint Improper Input Validation Vulnerability (CVE-2020-1025)