Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | High |
Description#
User input from HTTP requests is being passed directly to system commands using functions like os.system or os.popen. This is insecure because attackers can manipulate inputs to execute arbitrary commands on the server.
Impact#
If exploited, an attacker could run malicious commands with the application’s privileges, potentially leading to data theft, server compromise, or complete system takeover. This can result in data breaches, service disruption, and significant harm to the organization.