Server-side JavaScript injection

Description
  • This script is possibly vulnerable to Server-side JavaScript injection.The user input appears to be placed into a dynamically evaluated JavaScript statement, allowing an attacker to execute arbitrary Server-side Javascript code.
Remediation
  • Avoid creating JavaScript commands by concatenating script with user input. Avoid use of the Javascript eval command. In particular, when parsing JSON input, use a safer alternative such as JSON.parse.
References