Remote Code Injection vulnerability using Python pickle object
sei-vsarvepalli opened this issue · comments
Vijay Sarvepalli commented
An authenticated attacker can inject arbitrary pickle object as part of a user's profile. This can lead to code execution on the server when the user's profile is accessed. Rapid7 researcher Marcus Chang discovered and reported this security vulnerability to CERT/CC.
Vijay Sarvepalli commented
The relevant code update
Lines 238 to 242 in 213dcd9
Vijay Sarvepalli commented
Resolved with #62