PCI v3.2-6.5.1
CAPEC-23
CWE-94
HIPAA-164.306(a), 164.308(a)
ISO27001-A.14.2.5
OWASP 2013-A1
OWASP 2017-A1
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Code Evaluation (Python)

Severity:
Critical
Summary

Invicti identified a code evaluation (Python), which occurs when input data is run as code.

This is a highly critical issue and should be addressed as soon as possible.

Impact

An attacker can execute arbitrary Python code on the system. The attacker may also be able to execute arbitrary system commands.

Remediation

Do not accept input from end users which will be directly interpreted as source code. If this is a business requirement, validate all input to the application by removing any data that could be directly interpreted as Python source code.

Required Skills for Successful Exploitation

This vulnerability is not difficult to leverage. Python is a high level language for which there are vast resources available. Successful exploitation requires knowledge of the programming language, access to or the ability to produce source code for use in such attacks, and minimal attack skills.

Actions To Take
Classifications
PCI v3.2-6.5.1
CAPEC-23
CWE-94
HIPAA-164.306(a), 164.308(a)
ISO27001-A.14.2.5
OWASP 2013-A1
OWASP 2017-A1
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Vulnerability Index

You can search and find all vulnerabilities

Select Category
Critical
High
Medium
Low
Best Practice
Information
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Related Vulnerabilities

Featured resources

No items found.
No items found.
View all resources

Build your resistance to threats. And save hundreds of hours each month.

Get a Demo