SYM_PY_0205 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User input is being passed directly into Python's 'exec' function. This allows attackers to inject and execute arbitrary code on the server, making the application extremely vulnerable.
Impact
If exploited, an attacker could run any Python code they choose, potentially gaining full control over the server, accessing sensitive data, modifying or deleting files, or taking down the application entirely. This can lead to data breaches, service disruption, and severe organizational damage.