Vulnerability Details CVE-2022-50793
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious 'services' parameter values to execute arbitrary system commands with www-data user privileges.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.6%
CVSS Severity
CVSS v3 Score 8.8
References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247917
- https://packetstormsecurity.com/files/170264/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-services-Command-Injection.html
- https://www.sound4.com/
- https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-authenticated-command-injection-via-www-data-handlerphp
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5737.php
Products affected by CVE-2022-50793
-
cpe:2.3:a:sound4:stream_extension:2.4.29
-
cpe:2.3:h:sound4:big_voice2:-
-
cpe:2.3:h:sound4:big_voice4:-
-
cpe:2.3:h:sound4:first:1.0
-
cpe:2.3:h:sound4:first:2.0
-
cpe:2.3:h:sound4:impact:1.0
-
cpe:2.3:h:sound4:impact:2.0
-
cpe:2.3:h:sound4:impact_eco:-
-
cpe:2.3:h:sound4:pulse:1.0
-
cpe:2.3:h:sound4:pulse:2.0
-
cpe:2.3:h:sound4:pulse_eco:-
-
cpe:2.3:h:sound4:wm2:-
-
cpe:2.3:o:sound4:big_voice2_firmware:1.30
-
cpe:2.3:o:sound4:big_voice4_firmware:1.2
-
cpe:2.3:o:sound4:first_firmware:1.69
-
cpe:2.3:o:sound4:first_firmware:2.15
-
cpe:2.3:o:sound4:impact_eco_firmware:1.16
-
cpe:2.3:o:sound4:impact_firmware:1.69
-
cpe:2.3:o:sound4:impact_firmware:2.15
-
cpe:2.3:o:sound4:pulse_eco_firmware:1.16
-
cpe:2.3:o:sound4:pulse_firmware:1.69
-
cpe:2.3:o:sound4:pulse_firmware:2.15
-
cpe:2.3:o:sound4:wm2_firmware:1.11