Description

This script is vulnerable to Python code injection. The user input appears to be placed into a dynamically evaluated Python code statement, allowing an attacker to execute arbitrary Python code.

Remediation

Avoid creating Python code by concatenating code with user input. Avoid use of the Python eval command.

References

Exploiting Python Code Injection in Web Applications

Related Vulnerabilities

WordPress Plugin Lightbox Jquery Possible Remote Code Execution (0.24)

WordPress Plugin Broadcast Live Video-Live Streaming:HTML5, WebRTC, HLS, RTSP, RTMP Remote Code Execution (5.5.15)

uWSGI Unauthorized Access Vulnerability

WordPress Plugin WP-Live Chat by 3CX Remote Code Execution (7.0.01)

WordPress Plugin UnGallery 'search' Parameter Remote Arbitrary Command Execution (2.1.5)

Severity

Critical

Classification

CWE-95 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor