Description

This page is vulnerable to Argument Injection. A web application is vulnerable to argument injection when untrusted inputs are passed as arguments when executing a specific command. An attacker can manipulate the arguments passed to the process to trigger an OS command injection.

Remediation

Assume all input is malicious. Use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

References

Improper Neutralization of Argument Delimiters in a Command

Argument Injection Hammer Burp Suite Extension

Related Vulnerabilities

Nginx PHP code execution via FastCGI

WordPress Plugin W3 Total Cache PHP Code Injection (0.9.2.8)

IBM WebSphere RCE Java Deserialization Vulnerability

Drupal Remote Code Execution (SA-CORE-2018-002)

CyberPanel RCE (CVE-2024-51567/CVE-2024-51568/CVE-2024-51378)

Severity

High

Classification

CWE-88 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor