PT-2023-12762 · Audiocodes · Audiocodes Device Manager Express
Eric Flokstra
·
Published
2023-05-29
·
Updated
2023-06-02
·
CVE-2022-24630
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AudioCodes Device Manager Express versions through 7.8.20002.47752
Description
An issue was discovered that allows execution of commands. The "/BrowseFiles.php" API endpoint is vulnerable to a POST request with a
cmd parameter set to "ssh" and an ssh command field, which is then executed.Recommendations
For AudioCodes Device Manager Express versions through 7.8.20002.47752, as a temporary workaround, consider restricting access to the "/BrowseFiles.php" API endpoint to minimize the risk of exploitation. Avoid using the
ssh command field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Audiocodes Device Manager Express