Remote OS Command Injection

abhimanyumanocha · September 11, 2020, 7:19am

I have run Zap scanning tool on my Grafana Project. we are using grafana 6.7.3 version.
Zap has reported Remote OS Command Injection alert of high severity. Below is detail of Alert -

Description	Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs.

URL	http://<IpAddress>/api/admin/users
Method	POST
Parameter	email
Attack	<email>"&timeout /T 15&"
URL	http://<IpAddress>/api/admin/users
Method	POST
Parameter	login
Attack	<name>"&sleep 15&"

Could you please let me know the resolution for the same.

Regards,
Abhimanyu

abhimanyumanocha · September 16, 2020, 4:15am

Hello

it seems to be high risk vulnerability under -

can some one respond how to overcome from this vulnerability.

regards,
Abhimanyu

Topic		Replies	Views
SQL Injection : Zap report Grafana	6	727	August 27, 2021
Timestamp Disclosure - Unix	0	1835	September 15, 2020
Information Disclosure - Suspicious Comments Grafana	6	1457	April 23, 2021
Path Traversal Vulnerability Grafana	0	702	September 17, 2020
Grafana Enterprise 6.7.6, 7.3.10 and 7.4.5 Security Update Security Announcements	0	4884	March 18, 2021

Remote OS Command Injection

Related topics