6 matches found
CVE-2022-24627
Summary: CVE-2022-24627 affects AudioCodes Device Manager Express (versions up to 7.8.20002.47752). It is an unauthenticated SQL injection in the parameter p of the login form process_login.php. The underlying cause is improper input handling, enabling attackers to bypass authentication and poten...
CVE-2022-24632
CVE-2022-24632 affects AudioCodes Device Manager Express up to version 7.8.20002.47752. The vulnerability is a directory traversal during file download via the BrowseFiles.php view parameter, as described in the Red Hat and CNNVD entries and reflected across multiple feeds. The root cause is a pa...
CVE-2022-24629
CVE-2022-24629 affects AudioCodes Device Manager Express (versions up to 7.8.20002.47752). The issue is a directory-traversal in the dir parameter of BrowseFiles.php file upload, enabling remote code execution by uploading a .php file to WebAdmin/admin/AudioCodes_files/ajax/. Public sources docum...
CVE-2022-24631
AudioCodes Device Manager Express (versions up to 7.8.20002.47752) contains a stored XSS vulnerability in the ajaxTenants.php desc parameter. This is documented across multiple sources (CVE-2022-24631 and member metadata) as a cross-site scripting issue in that endpoint. PT-2023-12763 notes recom...
CVE-2022-24628
AudioCodes Device Manager Express (up to version 7.8.20002.47752) is affected by an authenticated SQL injection in the id parameter of IPPhoneFirmwareEdit.php. The CVE is CVE-2022-24628. Impacted component: IPPhoneFirmwareEdit.php; attacker must be authenticated; vulnerability enables potentially...
CVE-2022-24630
AudioCodes Device Manager Express (versions up to 7.8.20002.47752) contains a vulnerability in BrowseFiles.php where a POST request with cmd=ssh and an ssh_command field is executed, enabling remote code execution. This affects the vulnerable command handling path and can lead to RCE. Public expl...