dallaswinger
commented
5 months ago Nmap commands in some cases can take advantage of nested bash so this might also be considered a feature by the module author.
However, as far as potential security concerns go, due to authentication being required to access this module I wouldn't categorize this as an issue. Once authenticated to the web UI there is a root web shell built in and accessible - this does not provide anything beyond that.
Feel free to provide additional info if I am missing some part of the picture.
ultimateshadsform
It's probably designed to work like this but still.