Operating System Command Injection

critical Web App Scanning Plugin ID 98123

Language:

Synopsis

Operating System Command Injection

Description

OS command injection occurs when user supplied input is used to form a command to be executed by the operating system.

Scanner was able to inject specific Operating System commands and have the output from that command contained within the server response. This indicates that input is not being sanitized properly.

Solution

It is recommended that untrusted data is never used to form a command to be executed by the OS.
To validate data, the application should ensure that the supplied value contains only the characters that are required to perform the required action.

See Also

http://projects.webappsec.org/w/page/13246950/OS%20Commanding

https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Plugin Details

Severity: Critical

ID: 98123

Type: remote

Family: Code Execution

Published: 3/31/2017

Updated: 4/17/2025

Scan Template: api, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 78, 94

OWASP: 2010-A1, 2013-A1, 2017-A1, 2021-A3

WASC: OS Commanding

CAPEC: 108, 15, 242, 35, 43, 6, 77, 88

DISA STIG: APSC-DV-002510

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API8

OWASP ASVS: 4.0.2-5.2.5, 4.0.2-5.3.8

PCI-DSS: 3.2-6.5.1