Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
User input from web requests is being passed directly into os.system() commands. This allows attackers to inject and execute arbitrary system commands on the server, making the code highly insecure.
Impact#
If exploited, an attacker could execute malicious commands on the server with the application’s privileges, leading to data theft, server compromise, service disruption, or a complete system takeover. This puts sensitive data and the integrity of the entire application at risk.