Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
The code uses functions like os.system or os.popen to run shell commands with input directly from external event data. This can allow attackers to inject and execute arbitrary commands if the input isn’t properly sanitized.
Impact#
If exploited, an attacker could run unauthorized system commands on the server, potentially leading to data theft, service disruption, or full system compromise. This makes the application highly vulnerable to command injection attacks.