SYM_PY_0148 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The code passes user-supplied input directly to os.system(), allowing attackers to inject and execute arbitrary system commands. This is insecure because it lets users control what commands are run on the server.
Impact
If exploited, attackers can execute any command with the application's privileges—potentially reading or modifying sensitive data, taking control of the server, or disrupting service. This can lead to data breaches, server compromise, and significant damage to the organization’s systems and reputation.