CVE-2022-50789

Name of the Vulnerable Software and Affected Versions SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and earlier

Description The software contains a command injection issue. Local authenticated users can create malicious files in the /tmp directory with a '.dns.pid' extension. An unauthenticated attacker can execute malicious commands by sending an HTTP POST request to the dns.php script. This script triggers command execution and then deletes the file. The API endpoint involved is /dns.php.

Recommendations Versions prior to 2.x should be updated.