Ubertidavide

**Name of the Vulnerable Software and Affected Versions** fastbots versions prior to 0.1.5 **Description** The issue allows an attacker to modify the locators.ini locator file with Python code that, without proper validation, is executed and could lead to remote code execution (RCE). The vulnerability is in the function `def locator (self, locator name: str)` in `page.py`. The vulnerable code loads and executes directly from the file without validation, using `eval(self. bot.locator(self. page name, locator name))`. **Recommendations** For fastbots versions prior to 0.1.5, upgrade to fastbots version 0.1.5 or above to mitigate this issue. As a temporary workaround, consider disabling the ` locator ` function until a patch is available. Restrict access to the `locators.ini` file to minimize the risk of exploitation. Avoid using the `eval` function with unvalidated input from the `locators.ini` file until the issue is resolved.