CVE-2023-53963
Unknown Unknown - Not Provided
OS Command Injection in SOUND4 IMPACT Login Scripts

Publication date: 2025-12-22

Last updated on: 2025-12-22

Assigner: VulnCheck

Description
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands through the 'password' parameter. Attackers can exploit the login.php and index.php scripts by injecting shell commands via the 'password' POST parameter to execute commands with web server privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2025-12-22
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53963
EUVD
EUVD-2023-60248
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sound4 impact *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-53963 is an unauthenticated OS command injection vulnerability in SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x and related products. It allows remote attackers to inject and execute arbitrary shell commands on the affected system by sending malicious input through the 'password' HTTP POST parameter in the login.php and index.php scripts. This happens because the application executes shell commands using the PHP exec() function without properly sanitizing the 'password' parameter, enabling attackers to run commands with the privileges of the web server without needing to authenticate. [1, 2, 3]

Impact Analysis

This vulnerability can have critical impacts including allowing attackers to gain full control over the affected system by executing arbitrary commands remotely without authentication. This can lead to unauthorized access, data theft, system compromise, and denial of service (DoS). Since commands run with web server privileges, attackers can manipulate files, disrupt services, or use the system as a foothold for further attacks. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by attempting to inject shell commands via the 'password' HTTP POST parameter to the login.php or index.php scripts. For example, sending a POST request with a payload like `password=`id>/var/www/g`` can test if command execution is possible by checking if the output file is created or contains expected command output. Monitoring web server logs for suspicious POST requests to these scripts with unusual 'password' parameter values can also help detect exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected login.php and index.php scripts, applying input validation or sanitization on the 'password' parameter to prevent command injection, and updating or patching the SOUND4 IMPACT/FIRST/PULSE/Eco software to a version where this vulnerability is fixed. If patches are not available, consider disabling the vulnerable services or isolating the affected system from untrusted networks to prevent remote exploitation. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart