Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The code passes user-supplied input directly to os.system(), allowing attackers to inject and execute arbitrary system commands. This is insecure because it lets users control what commands are run on the server.
Impact#
If exploited, attackers can execute any command with the application’s privileges—potentially reading or modifying sensitive data, taking control of the server, or disrupting service. This can lead to data breaches, server compromise, and significant damage to the organization’s systems and reputation.