Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Passing locals() directly as the template context in Django exposes all local variables and functions to the template, including sensitive or internal objects. This can allow unintended access to Python functions and data within templates.
Impact#
An attacker could exploit this to execute arbitrary code or access sensitive information through template manipulation, leading to server compromise, data leakage, or unauthorized actions within your application.