CVE-2023-53963

Name of the Vulnerable Software and Affected Versions SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x

Description The software contains an unauthenticated OS command injection issue that allows remote attackers to execute arbitrary shell commands. This is possible through the 'password' parameter in the login.php and index.php scripts. Attackers can inject shell commands via the password POST parameter, enabling them to execute commands with web server privileges.

Recommendations Versions prior to 2.x should be updated. As a temporary workaround, restrict access to the login.php and index.php scripts to minimize the risk of exploitation. Avoid using the password parameter in the affected API endpoints until the issue is resolved.