Multiple programming languages fail to escape arguments properly in Microsoft Windows
Posted: Mon Feb 03, 2025 10:12 am
Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. This vulnerability may also affect the application that executes commands without specifying the file extension.
https://www.kb.cert.org/vuls/id/123335
https://www.kb.cert.org/vuls/id/123335