CVE-2022-50793
Authenticated Command Injection in SOUND4 www-data-handler.php (<=2.x
Publication date: 2025-12-30
Last updated on: 2025-12-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sound4 | impact | 2.x |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SOUND4 IMPACT/FIRST/PULSE/Eco versions up to 2.x, where an authenticated command injection flaw in the www-data-handler.php script allows attackers to inject and execute arbitrary system commands by manipulating the 'services' POST parameter. The commands execute with www-data user privileges.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary system commands on the affected system with www-data user privileges, potentially leading to unauthorized access, data compromise, system disruption, or further escalation of privileges.