Primary

Context

SOUND4 Impact/Pulse/First/Eco Command Injection Vulnerability in www-data-handler.php

Vulnerability

A command injection vulnerability has been identified in SOUND4 IMPACT, FIRST, PULSE, and Eco versions through 2.x. The issue resides in the www-data-handler.php script, where the 'services' POST parameter is improperly sanitized before being passed to a system command. This vulnerability allows authenticated attackers to execute arbitrary commands on the server with www-data user privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the server, potentially allowing an attacker to manipulate system files or processes.

Reproduction

To reproduce this vulnerability, send a POST request to the www-data-handler.php script with a crafted 'services' parameter that includes the desired system command. The injected command will be executed by the server with www-data user privileges.

Added: Dec 30, 2025, 11:41 PM

Updated: Dec 30, 2025, 11:41 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.6

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SOUND4 Impact/Pulse/First/Eco Command Injection Vulnerability in www-data-handler.php

Vulnerability

Impact

Reproduction

Affected Products

SOUND4 Impact

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating