Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
User-controlled data from the ’event’ object is being passed directly to OS process-spawning functions (like os.spawn* or os.startfile). This allows untrusted input to dictate system commands, creating a serious security risk.
Impact#
If exploited, an attacker could execute arbitrary commands on the server, potentially leading to data theft, service disruption, or full system compromise. This can result in loss of sensitive information, unauthorized access, and severe reputational and operational damage.