CVE-2023-48699

Description

### Impact An attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function def __locator__(self, locator_name: str) in page.py. The vulnerable code that load and execute directly from the file without validation it's: ```python return eval(self._bot.locator(self._page_name, locator_name)) ``` ### Patches In order to mitigate this issue it's important to upgrade to fastbots version 0.1.5 or above. ### References [Merge that fix also this issue](https://github.com/ubertidavide/fastbots/pull/3#issue-2003080806)

How to fix CVE-2023-48699

To remediate CVE-2023-48699, upgrade the affected package to a fixed version below.

• —upgrade to 0.1.5 or later

Is CVE-2023-48699 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.1.5

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-48699
• PATCHgithub.com/ubertidavide/fastbots
• WEBgithub.com/ubertidavide/fastbots/commit/73eb03bd75365e112b39877e26ef52853f5e9f57
• WEBgithub.com/ubertidavide/fastbots/pull/3#issue-2003080806