URL: http://192.168.178.80:8000/admin/runCommand
Path: /admin/runCommand
Hostname: 192.168.178.80
Port: 8000
Vulnerable Parameter: command
CWE: 74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))
Category: Code Injection
Plugin: Code Injection
Severity: 4
Attack Vector: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Injections happen when untrusted data is inserted into an interpreted syntax and subsequently evaluated on the server side. This syntax may be a SQL query, a parsed JSON or XML document, an executed script or other syntax that may be in use within the application. Although the target syntax has not been identified, the application behavior demonstrates that the input HTTP parameter may be inserted without proper escaping. It was observed by sending valid and invalid payloads that should throw or should not throw errors. By inserting payloads such as ', '', ''' into the command parameter, the scanner was able to spot a difference in the responses, which is a good indicator of a potential vulnerability. Confidence: low. Response codes: 400, 200, 400. Similarities: ' vs '': 0.0; '' vs ''': 0.0; ' vs ''': 1.0. It is recommended to identify how the current parameter is used in the application source code, and make sure it is escaped before inserting into any syntax/query. You can add valid values to an allowlist and invalid values to a blocklist. CWE
Don't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode
URL: http://192.168.178.80:8000/admin/runCommand
Path: /admin/runCommand
Hostname: 192.168.178.80
Port: 8000
Vulnerable Parameter: command
CWE: 74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'))
Category: Code Injection
Plugin: Code Injection
Severity: 4
Attack Vector: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Injections happen when untrusted data is inserted into an interpreted syntax and subsequently evaluated on the server side. This syntax may be a SQL query, a parsed JSON or XML document, an executed script or other syntax that may be in use within the application. Although the target syntax has not been identified, the application behavior demonstrates that the input HTTP parameter may be inserted without proper escaping. It was observed by sending valid and invalid payloads that should throw or should not throw errors. By inserting payloads such as
','','''into thecommandparameter, the scanner was able to spot a difference in the responses, which is a good indicator of a potential vulnerability. Confidence: low. Response codes:400,200,400. Similarities:'vs'': 0.0;''vs''': 0.0;'vs''': 1.0. It is recommended to identify how the current parameter is used in the application source code, and make sure it is escaped before inserting into any syntax/query. You can add valid values to an allowlist and invalid values to a blocklist. CWEDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode