SYM_PY_0154 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
User input is being passed directly to Python's eval() function, allowing attackers to execute arbitrary code on the server. This is highly insecure because eval() will run any code it receives.
Impact
If exploited, an attacker could run malicious Python code on your server, potentially leading to data theft, unauthorized access, service disruption, or complete compromise of your application and underlying system.