Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
The code uses the exec() function, which executes Python code from a string. If any part of that string can be influenced by user input or external sources, this allows attackers to run arbitrary code within your application.
Impact#
If exploited, an attacker could execute malicious code on your server, potentially leading to data theft, unauthorized access, system compromise, or complete takeover of the application. This can result in severe breaches of data integrity and confidentiality.