The CVE-2024-28397 vulnerability affects versions of js2py up to v0.74, a Python library that allows JavaScript code to be executed within the Python interpreter. # Description-js2py
The CVE-2024-28397 vulnerability affects versions of js2py up to v0.74, a Python library that allows JavaScript code to be executed within the Python interpreter. The flaw is in the implementation of the disable_pyimport() method, which should prevent JavaScript code from accessing Python objects. However, due to a failure in the implementation, an attacker can circumvent this restriction and obtain references to Python objects within the JavaScript environment, allowing arbitrary code execution on host.
Technical Details
Affected component: js2py.disable_pyimport()<br>
Affected versions: Up to v0.74<br>
CVE ID: CVE-2024-28397<br>
CVSS v3.1: 5.3 (Average)<br>
CWE: 94 (Inadequate code generation)<br>
The failure occurs because the disable_pyimport() method does not properly prevent access to Python objects from JavaScript code. This allows an attacker, even with protection enabled, to access Python objects and execute arbitrary commands on the system
[4.0K] /data/pocs/73bca81daeffff2de0cc47a0b0eb8fdf029fc821
├── [3.0K] exploit_js2py.php
└── [ 987] README.md
0 directories, 2 files