External Control of System or Configuration Setting

Summary

When dalfox is started in REST API server mode (dalfox server), the server binds to "0.0.0.0:6664" by default and requires no API key unless the operator explicitly passes "--api-key". Because "model.Options" -- including "FoundAction" and "FoundActionShell" -- is deserialized directly from attacker-supplied JSON in "POST /scan", and because "dalfox.Initialize" explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This issue affects versions prior to 2.13.0.