Primary

Context

SOUND4 Impact/Pulse/First/Eco Unauthenticated Command Injection Vulnerability in Username Parameter

Vulnerability

A command injection vulnerability has been identified in SOUND4 Impact, Pulse, First, and Eco versions 2.x and below. This vulnerability allows unauthenticated attackers to inject and execute arbitrary shell commands via the 'username' parameter in HTTP POST requests. The issue arises in the 'index.php' and 'login.php' scripts.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the application is running.

Reproduction

To reproduce this vulnerability, send a POST request to 'index.php' or 'login.php' with a crafted 'username' parameter that includes the desired shell commands. The commands will be executed on the server, and the response can be used to verify the execution.

Added: Dec 30, 2025, 11:39 PM

Updated: Dec 30, 2025, 11:39 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

8.7

remediation

0.0

relevance

1.8

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SOUND4 Impact/Pulse/First/Eco Unauthenticated Command Injection Vulnerability in Username Parameter

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating