SYM_PY_0209 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User-supplied data is being passed directly to Python's 'eval' function. This allows attackers to inject and execute arbitrary code on your server if they control the input.
Impact
If exploited, an attacker could run any Python code on your system, potentially leading to data theft, server takeover, or complete compromise of your application and its underlying infrastructure.