CVE-2023-53963

SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands through the 'password' parameter. Attackers can exploit the login.php and index.php scripts by injecting shell commands via the 'password' POST parameter to execute commands with web server privileges.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
VulnCheckCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Common Weakness Enumeration
References
https://web.archive.org/web/20221207074555/https://www.sound4.com/
https://www.exploit-db.com/exploits/51173
https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-unauthenticated-remote-command-injection
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5738.php