Description

This script is vulnerable to Python code injection. The user input appears to be placed into a dynamically evaluated Python code statement, allowing an attacker to execute arbitrary Python code.

Remediation

Avoid creating Python code by concatenating code with user input. Avoid use of the Python eval command.

References

Exploiting Python Code Injection in Web Applications

Related Vulnerabilities

Cmd hijack vulnerability

Drupal Core 9.0.x Remote Code Execution (9.0.0 - 9.0.7)

Liferay version older than 7.1

Spring Boot Whitelabel Error Page SpEL

Fortinet FortiNAC RCE via arbitrary file upload

Severity

Critical

Classification

CWE-95 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor