Description
This script is vulnerable to Server-side JavaScript injection.The user input appears to be placed into a dynamically evaluated JavaScript statement, allowing an attacker to execute arbitrary Server-side Javascript code.
Remediation
Avoid creating JavaScript commands by concatenating script with user input. Avoid use of the Javascript eval command. In particular, when parsing JSON input, use a safer alternative such as JSON.parse.
References
Related Vulnerabilities
Telerik Web UI Unrestricted File Upload (CVE-2014-2217)
Drupal Core 9.0.x Remote Code Execution (9.0.0 - 9.0.7)
TYPO3 Improper Input Validation Vulnerability (CVE-2014-9509)
RubyGems Improper Input Validation Vulnerability (CVE-2017-0900)
WordPress Improper Input Validation Vulnerability (CVE-2013-4339)