SYM_PY_0022 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User-provided input is being passed directly to Python's InteractiveConsole or InteractiveInterpreter methods, which execute code dynamically. This means attackers could supply malicious code that gets executed by your application.
Impact
If exploited, an attacker could run arbitrary Python commands on your server, potentially gaining full control over the system, accessing sensitive data, altering application behavior, or causing service disruptions.