SYM_PY_0151 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input is being passed directly to Python's exec() function, allowing attackers to inject and execute arbitrary code. This practice is highly insecure and should be avoided, especially in web applications like those using Flask.
Impact
If exploited, an attacker could run arbitrary Python code on your server, potentially gaining full control over the system, accessing or modifying sensitive data, and compromising the security of your application and its users.