IMPACT
by Nokia
CVEs (22)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-17403 | Hig | 0.57 | 8.8 | 0.03 | Nov 25, 2019 | Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution. | ||
| CVE-2019-17405 | Med | 0.40 | 6.1 | 0.01 | Nov 25, 2019 | Nokia IMPACT < 18A: has Reflected self XSS | ||
| CVE-2019-17406 | Med | 0.35 | 5.3 | 0.01 | Nov 25, 2019 | Nokia IMPACT < 18A has path traversal that may lead to RCE if chained with CVE-2019-1743 | ||
| CVE-2019-17404 | Med | 0.28 | 4.3 | 0.01 | Nov 25, 2019 | Nokia IMPACT < 18A: allows full path disclosure | ||
| CVE-2021-35486 | 0.00 | — | 0.00 | Mar 3, 2026 | A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor… | |||
| CVE-2021-35483 | 0.00 | — | 0.00 | Mar 3, 2026 | The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during… | |||
| CVE-2021-35484 | 0.00 | — | 0.00 | Mar 3, 2026 | Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker… | |||
| CVE-2023-31044 | 0.00 | — | 0.00 | Mar 3, 2026 | An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate… | |||
| CVE-2021-35485 | 0.00 | — | 0.00 | Mar 3, 2026 | The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application,… | |||
| CVE-2022-50796 | 0.00 | — | 0.01 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions,… | |||
| CVE-2022-50795 | 0.00 | — | 0.04 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the… | |||
| CVE-2022-50794 | 0.00 | — | 0.03 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST 'username' parameter to… | |||
| CVE-2022-50793 | 0.00 | — | 0.03 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious… | |||
| CVE-2022-50792 | 0.00 | — | 0.01 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive system files. Attackers can exploit the vulnerability by manipulating the 'file' GET parameter to disclose arbitrary… | |||
| CVE-2022-50791 | 0.00 | — | 0.03 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the vulnerable… | |||
| CVE-2022-50790 | 0.00 | — | 0.01 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated vulnerability that allows remote attackers to access live radio stream information through webplay or ffmpeg scripts. Attackers can exploit the vulnerability by calling specific web scripts to… | |||
| CVE-2022-50787 | 0.00 | — | 0.00 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains an unauthenticated stored cross-site scripting vulnerability in the username parameter that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated username input to execute arbitrary HTML and… | |||
| CVE-2022-50695 | 0.00 | — | 0.01 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains a network vulnerability that allows unauthenticated attackers to send ICMP signals to arbitrary hosts through network command scripts. Attackers can abuse ping.php, traceroute.php, and dns.php to generate network flooding… | |||
| CVE-2022-50694 | 0.00 | — | 0.01 | Dec 30, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the 'username' POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through the username parameter to bypass authentication and… | |||
| CVE-2023-53964 | 0.00 | — | 0.01 | Dec 22, 2025 | SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data to trigger a factory… |
- risk 0.57cvss 8.8epss 0.03
Nokia IMPACT < 18A: An unrestricted File Upload vulnerability was found that may lead to Remote Code Execution.
- risk 0.40cvss 6.1epss 0.01
Nokia IMPACT < 18A: has Reflected self XSS
- risk 0.35cvss 5.3epss 0.01
Nokia IMPACT < 18A has path traversal that may lead to RCE if chained with CVE-2019-1743
- risk 0.28cvss 4.3epss 0.01
Nokia IMPACT < 18A: allows full path disclosure
- CVE-2021-35486Mar 3, 2026risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor…
- CVE-2021-35483Mar 3, 2026risk 0.00cvss —epss 0.00
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload JavaScript files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application, or during…
- CVE-2021-35484Mar 3, 2026risk 0.00cvss —epss 0.00
Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker…
- CVE-2023-31044Mar 3, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Nokia Impact before Mobile 23_FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate…
- CVE-2021-35485Mar 3, 2026risk 0.00cvss —epss 0.00
The Applications component of Nokia IMPACT version through 19.11.2.10-20210118042150283 allows an authenticated user to arbitrarily upload server-side executable files via the /ui/rest-proxy/application fileupload parameter. This can occur during the adding of a new application,…
- CVE-2022-50796Dec 30, 2025risk 0.00cvss —epss 0.01
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an unauthenticated remote code execution vulnerability in the firmware upload functionality with path traversal flaw. Attackers can exploit the upload.cgi script to write malicious files to the system with www-data permissions,…
- CVE-2022-50795Dec 30, 2025risk 0.00cvss —epss 0.04
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the…
- CVE-2022-50794Dec 30, 2025risk 0.00cvss —epss 0.03
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated command injection vulnerability in the username parameter. Attackers can exploit index.php and login.php scripts by injecting arbitrary shell commands through the HTTP POST 'username' parameter to…
- CVE-2022-50793Dec 30, 2025risk 0.00cvss —epss 0.03
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an authenticated command injection vulnerability in the www-data-handler.php script that allows attackers to inject system commands through the 'services' POST parameter. Attackers can exploit this vulnerability by crafting malicious…
- CVE-2022-50792Dec 30, 2025risk 0.00cvss —epss 0.01
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated file disclosure vulnerability that allows remote attackers to access sensitive system files. Attackers can exploit the vulnerability by manipulating the 'file' GET parameter to disclose arbitrary…
- CVE-2022-50791Dec 30, 2025risk 0.00cvss —epss 0.03
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains a conditional command injection vulnerability that allows local authenticated users to create malicious files in the /tmp directory. Unauthenticated attackers can execute commands by making a single HTTP POST request to the vulnerable…
- CVE-2022-50790Dec 30, 2025risk 0.00cvss —epss 0.01
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below contain an unauthenticated vulnerability that allows remote attackers to access live radio stream information through webplay or ffmpeg scripts. Attackers can exploit the vulnerability by calling specific web scripts to…
- CVE-2022-50787Dec 30, 2025risk 0.00cvss —epss 0.00
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains an unauthenticated stored cross-site scripting vulnerability in the username parameter that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated username input to execute arbitrary HTML and…
- CVE-2022-50695Dec 30, 2025risk 0.00cvss —epss 0.01
SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x contains a network vulnerability that allows unauthenticated attackers to send ICMP signals to arbitrary hosts through network command scripts. Attackers can abuse ping.php, traceroute.php, and dns.php to generate network flooding…
- CVE-2022-50694Dec 30, 2025risk 0.00cvss —epss 0.01
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x contains an SQL injection vulnerability in the 'username' POST parameter of index.php that allows attackers to manipulate database queries. Attackers can inject arbitrary SQL code through the username parameter to bypass authentication and…
- CVE-2023-53964Dec 22, 2025risk 0.00cvss —epss 0.01
SOUND4 IMPACT/FIRST/PULSE/Eco v2.x contains an unauthenticated vulnerability in the /usr/cgi-bin/restorefactory.cgi endpoint that allows remote attackers to reset device configuration. Attackers can send a POST request to the endpoint with specific data to trigger a factory…
Page 1 of 2