Vulnerability Description
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory with .dns.pid extension. Unauthenticated attackers can execute the malicious commands by making a single HTTP POST request to the vulnerable dns.php script, which triggers command execution and then deletes the file.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sound4 | Impact Firmware | 2.15 |
| Sound4 | Impact | 2.0 |
| Sound4 | Pulse Firmware | 2.15 |
| Sound4 | Pulse | 2.0 |
| Sound4 | First Firmware | 2.15 |
| Sound4 | First | 2.0 |
| Sound4 | Impact Eco Firmware | 1.16 |
| Sound4 | Impact Eco | - |
| Sound4 | Pulse Eco Firmware | 1.16 |
| Sound4 | Pulse Eco | - |
| Sound4 | Big Voice4 Firmware | 1.2 |
| Sound4 | Big Voice4 | - |
| Sound4 | Big Voice2 Firmware | 1.30 |
| Sound4 | Big Voice2 | - |
| Sound4 | Wm2 Firmware | 1.11 |
| Sound4 | Wm2 | - |
| Sound4 | Stream Extension | 2.4.29 |
Related Weaknesses (CWE)
References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247922Third Party Advisory
- https://packetstormsecurity.com/files/170260/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-dExploitThird Party AdvisoryVDB Entry
- https://www.sound4.com/Product
- https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-conditional-comThird Party Advisory
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5733.phpExploitThird Party Advisory
FAQ
What is CVE-2022-50789?
CVE-2022-50789 is a vulnerability with a CVSS score of 7.8 (HIGH). SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory with .dns.pid extension. Unauthenti...
How severe is CVE-2022-50789?
CVE-2022-50789 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-50789?
Check the references section above for vendor advisories and patch information. Affected products include: Sound4 Impact Firmware, Sound4 Impact, Sound4 Pulse Firmware, Sound4 Pulse, Sound4 First Firmware.