SYM_PY_0152 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
User-supplied data from Flask requests is being passed directly into subprocess calls without proper validation or sanitization. This allows attackers to control command arguments, leading to unsafe command execution.
Impact
If exploited, an attacker could execute arbitrary system commands on the server, potentially stealing data, installing malware, or taking full control of the host. This can result in data breaches, service outages, or further compromise of your infrastructure.