CVE-2023-48699

Name of the Vulnerable Software and Affected Versions fastbots versions prior to 0.1.5

Description The issue allows an attacker to modify the locators.ini locator file with Python code that, without proper validation, is executed and could lead to remote code execution (RCE). The vulnerability is in the function def locator (self, locator name: str) in page.py. The vulnerable code loads and executes directly from the file without validation, using eval(self. bot.locator(self. page name, locator name)).

Recommendations For fastbots versions prior to 0.1.5, upgrade to fastbots version 0.1.5 or above to mitigate this issue. As a temporary workaround, consider disabling the locator function until a patch is available. Restrict access to the locators.ini file to minimize the risk of exploitation. Avoid using the eval function with unvalidated input from the locators.ini file until the issue is resolved.