SYM_PY_0108 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User-controlled input from an event object is being passed directly to an asyncio subprocess shell function. This allows untrusted data to be executed as part of a system command, creating a command injection risk.
Impact
If exploited, an attacker could run arbitrary system commands on the server, potentially accessing sensitive data, modifying files, or taking control of the application environment. This can lead to data breaches, service disruption, or full system compromise.