Vulnerability Details
Severity:
Critical
Category:
Web Application
Description
The application passes user-supplied input to system shell commands without proper sanitization, allowing attackers to inject and execute arbitrary operating system commands.
Risks
An attacker could execute arbitrary commands on the host operating system, leading to full system compromise, data exfiltration, installation of backdoors, or lateral movement within the network.
Remediation
Avoid calling OS commands directly from application code. Use language-specific libraries and APIs instead. If OS commands are necessary, use parameterized interfaces, validate input against strict allowlists, and never concatenate user input into command strings.