SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Conditional Command Injection via dns.php

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory with .dns.pid extension. Unauthenticated attackers can execute the malicious commands by making a single HTTP POST request to the vulnerable dns.php script, which triggers command execution and then deletes the file.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

SOUND4多款产品 操作系统命令注入漏洞

SOUND4 IMPACT等都是法国SOUND4公司的产品。SOUND4 IMPACT是一款专业广播音频处理器。SOUND4 FIRST是一款广播用的音频处理器。SOUND4 PULSE是一款音频处理器。 SOUND4多款产品存在操作系统命令注入漏洞，该漏洞源于dns.php脚本对/tmp目录中文件处理不当，可能导致命令注入。以下产品及版本受到影响：SOUND4 IMPACT/FIRST/PULSE/Eco 2.x及之前版本。

N/A

N/A