CVE-2022-50795
Command Injection in SOUND4 IMPACT Traceroute.php Enables Remote Code Execution
Publication date: 2025-12-30
Last updated on: 2025-12-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sound4 | impact | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x is a conditional command injection flaw. It allows local authenticated users to create malicious files in the /tmp directory. Additionally, unauthenticated attackers can execute commands by sending a single HTTP POST request to the traceroute.php script, which triggers the malicious file and deletes it after execution.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized command execution on the affected system. This means attackers could potentially run arbitrary commands, leading to full compromise of confidentiality, integrity, and availability of the system.