A vulnerability was found in web-arena-x webarena up to 0.2.0. It has been declared as critical. This vulnerability affects the function HTMLContentEvaluator of the file webarena/evaluation_harness/evaluators.py. The manipulation of the argument target["url"] leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
| Link | Tags |
|---|---|
| https://vuldb.com/?id.306376 | third party advisory vdb entry technical description |
| https://vuldb.com/?ctiid.306376 | signature vdb entry permissions required |
| https://vuldb.com/?submit.558415 | third party advisory vdb entry |
| https://github.com/web-arena-x/webarena/issues/194 | third party advisory issue tracking exploit |
| https://github.com/web-arena-x/webarena/issues/194#issuecomment-2796165922 | issue tracking exploit |