Unauthenticated arbitrary remote code execution possible

[Skyr]

The current code contains a severe security vulnerability which results in arbitrary shell command execution with the rights of the user running the service. If you follow the README's installation instructions, this is the root user, resulting in immediate total system compromise.
The problematic code is here: https://github.com/alvinsiew/ldap-self-service/blob/main/internal/web/web.go#L20-L21

cmd := "ldappasswd -H " + ldapADDR + " -x -D cn=" + u + "," + userDN + " -w " + op + " -s " + np
out, err := exec.Command("bash", "-c", cmd).Output()

If the attacker enters a new password containing a semicolon, everything following it is executed as bash commands. To validate: Enter as new password "whatever ; touch /tmp/hacked" (all other fields don't matter) and validate that the file /tmp/hacked now exists.
Solution: Don't shell out for changing the password but use a Go LDAP library like https://pkg.go.dev/github.com/go-ldap/ldap/v3#Conn.PasswordModify instead.