34 matches found
CVE-2022-24627
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the processlogin.php login form...
CVE-2022-24629
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir parameter of the file upload functionality of BrowseFiles.php. An attacker can upload a .php file to WebAdmin/admin/AudioCodesfiles/ajax/...
CVE-2022-24630
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. BrowseFiles.php allows a ?cmd=ssh POST request with an sshcommand field that is executed...
CVE-2022-24628
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is authenticated SQL injection in the id parameter of IPPhoneFirmwareEdit.php...
CVE-2022-24630
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. BrowseFiles.php allows a ?cmd=ssh POST request with an sshcommand field that is executed...
CVE-2022-24632
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is directory traversal during file download via the BrowseFiles.php view parameter...
CVE-2022-24628
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is authenticated SQL injection in the id parameter of IPPhoneFirmwareEdit.php...
CVE-2022-24627
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the processlogin.php login form...
CVE-2022-24631
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is stored XSS via the ajaxTenants.php desc parameter...
CVE-2022-24632
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is directory traversal during file download via the BrowseFiles.php view parameter...
CVE-2022-24627
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the processlogin.php login form...
Sql injection
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the processlogin.php login form...
Cross site scripting
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is stored XSS via the ajaxTenants.php desc parameter...
Sql injection
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is authenticated SQL injection in the id parameter of IPPhoneFirmwareEdit.php...
Cross site request forgery (csrf)
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. BrowseFiles.php allows a ?cmd=ssh POST request with an sshcommand field that is executed...
PT-2023-12764 · Audiocodes · Audiocodes Device Manager Express
Name of the Vulnerable Software and Affected Versions: AudioCodes Device Manager Express versions through 7.8.20002.47752 Description: The issue concerns directory traversal during file download. This occurs via the view parameter in the "BrowseFiles.php" endpoint. Recommendations: For versions...
CVE-2022-24629
CVE-2022-24629 affects AudioCodes Device Manager Express (versions up to 7.8.20002.47752). The issue is a directory-traversal in the dir parameter of BrowseFiles.php file upload, enabling remote code execution by uploading a .php file to WebAdmin/admin/AudioCodes_files/ajax/. Public sources docum...
CVE-2022-24632
An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is directory traversal during file download via the BrowseFiles.php view parameter...
CVE-2022-24632
CVE-2022-24632 affects AudioCodes Device Manager Express up to version 7.8.20002.47752. The vulnerability is a directory traversal during file download via the BrowseFiles.php view parameter, as described in the Red Hat and CNNVD entries and reflected across multiple feeds. The root cause is a pa...
CVE-2022-24631
AudioCodes Device Manager Express (versions up to 7.8.20002.47752) contains a stored XSS vulnerability in the ajaxTenants.php desc parameter. This is documented across multiple sources (CVE-2022-24631 and member metadata) as a cross-site scripting issue in that endpoint. PT-2023-12763 notes recom...