CVE-2022-50793
HIGH WAF: High
CVSS 8.8
Published: 2025-12-30
CWE-78
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious 'services' parameter values to execute arbitrary system commands with www-data user privileges.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| sound4 | impact_firmware | 2.15 |
| sound4 | impact_firmware | 1.69 |
| sound4 | pulse_firmware | 2.15 |
| sound4 | pulse_firmware | 1.69 |
| sound4 | first_firmware | 2.15 |
| sound4 | first_firmware | 1.69 |
| sound4 | impact_eco_firmware | 1.16 |
| sound4 | pulse_eco_firmware | 1.16 |
| sound4 | big_voice4_firmware | 1.2 |
| sound4 | big_voice2_firmware | 1.30 |
References
- exchange.xforce.ibmcloud.com (Third Party Advisory)
- packetstormsecurity.com (Exploit, Third Party Advisory, VDB Entry)
- www.sound4.com (Product)
- www.vulncheck.com (Third Party Advisory)
- www.zeroscience.mk (Exploit, Third Party Advisory)