An attacker may be able to execute malicious actions due to the lack of device access protections and device permissions when using the web application. This could lead to uploading python files which can be later executed.
Credits
Aarón Flecha of S21sec reported this vulnerability to CISA.
