SYM_PY_0036 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
The code uses the exec() function, which executes Python code from a string. If any part of that string can be influenced by user input or external sources, this allows attackers to run arbitrary code within your application.
Impact
If exploited, an attacker could execute malicious code on your server, potentially leading to data theft, unauthorized access, system compromise, or complete takeover of the application. This can result in severe breaches of data integrity and confidentiality.