SYM_PY_0167 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Building shell commands by concatenating or formatting strings, especially with user input, can allow attackers to inject malicious commands. Instead, pass command arguments as a list to avoid unintended code execution.
Impact
If exploited, an attacker could execute arbitrary system commands with the privileges of your application, potentially leading to data theft, corruption, or complete system compromise. This can expose sensitive information or allow attackers to take control of your server.