SYM_PY_0055 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Incorrectly-Resolved Name or Reference
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-706: Use of Incorrectly-Resolved Name or Reference |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using user-controlled input as the module name in importlib.import_module() lets attackers load and execute arbitrary Python code. Avoid importing modules based on untrusted data or strictly validate allowed module names.
Impact
If exploited, an attacker could execute malicious code within your application, potentially leading to data theft, unauthorized access, or full system compromise. This could severely impact application security and expose sensitive resources.