SYM_PY_0206 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The code executes Python code directly from user-supplied input (such as HTTP request data) using 'exec'. This allows attackers to inject and run arbitrary code on your server, making the application extremely unsafe.
Impact
If exploited, an attacker could execute any code they choose on your server, potentially stealing sensitive data, modifying or deleting files, escalating privileges, or taking full control of the system. This can lead to data breaches, service disruption, and severe damage to your organization.