CVE-2022-24630

Name of the Vulnerable Software and Affected Versions AudioCodes Device Manager Express versions through 7.8.20002.47752

Description An issue was discovered that allows execution of commands. The "/BrowseFiles.php" API endpoint is vulnerable to a POST request with a cmd parameter set to "ssh" and an ssh command field, which is then executed.

Recommendations For AudioCodes Device Manager Express versions through 7.8.20002.47752, as a temporary workaround, consider restricting access to the "/BrowseFiles.php" API endpoint to minimize the risk of exploitation. Avoid using the ssh command field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.