Vulnerabilites related to artica - pandora_fms
Vulnerability from fkie_nvd
Published
2017-10-27 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60CEE4B3-B2D2-4823-B626-214B2ED406DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter."
},
{
"lang": "es",
"value": "Artica Pandora FMS 7.0 es vulnerable a Cross-Site Scripting (XSS) persistente en el par\u00e1metro map name."
}
],
"id": "CVE-2017-15934",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-27T20:29:01.403",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-02 17:15
Modified
2025-04-11 00:51
Severity ?
Summary
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * | |
| artica | pandora_fms | 1.2 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3.1 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.1 | |
| artica | pandora_fms | 2.1.1 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A972A8C1-4418-457A-B333-31CBFEA87F43",
"versionEndIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5F58083-665E-40CE-94E8-AF46BD41E2B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C4153C42-C38B-4DF8-9C24-2060FB18F370",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "2544AF2E-0BA3-409F-9AF4-7B42751C8E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*",
"matchCriteriaId": "95734EBF-826B-43B9-B790-111329AB8581",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "34FB9160-6109-4C68-B8C2-E9FF5FA1E783",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A7220D9B-1FAB-4265-90D9-87630AE906B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F912B082-3834-462C-956E-5003E5CDF624",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE24C15F-4653-46CB-9C8F-6DE942154B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "1464A86D-222B-49BD-A4F5-9AE5AD57E016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CAF92EC0-0616-4F17-9588-70C22C69A579",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "69446BEE-365D-49B5-9AEC-268AA93D8E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD917088-E151-4EC1-94AE-2D3F2F3A600B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8BBEA8F8-E1FB-4C62-91FD-67EBD5006F96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "98406056-AD7A-4A54-80B8-280E197F90ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B32CC8A6-A253-4DD2-867C-DCE583F073E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with \"admin\" in the loginhash_user parameter, in conjunction with the md5 hash of \"admin\" in the loginhash_data parameter."
},
{
"lang": "es",
"value": "La configuraci\u00f3n por defecto de Pandora FMS v3.1 y anteriores especifica una cadena vac\u00eda para el campo loginhash_pwd, permitiendo a atacantes remotos evitar la autenticaci\u00f3n mediante el env\u00edo de una solicitud a index.php con \"admin\" en el par\u00e1metro loginhash_user, junto con el el hash md5 de \" admin \"en el par\u00e1metro loginhash_data."
}
],
"id": "CVE-2010-4279",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-02T17:15:00.503",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69549"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15639"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/35731/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69549"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/35731/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-05 16:15
Modified
2024-11-21 06:34
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C58D4E1F-7D31-498D-A392-54777B121E02",
"versionEndExcluding": "757",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de tipo XSS en Pandora FMS versiones 756 y posteriores, que permite a un atacante llevar a cabo ejecuciones de c\u00f3digo javascript por medio del campo name de operaci\u00f3n masiva del m\u00f3dulo"
}
],
"id": "CVE-2021-46681",
"lastModified": "2024-11-21T06:34:35.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 3.4,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-05T16:15:11.300",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "security@pandorafms.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-19 17:15
Modified
2025-09-16 15:47
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L
6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
6.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. This issue affects Pandora FMS: from 700 through <776.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43E82BDE-56AE-494A-8C82-C7E4157390AF",
"versionEndExcluding": "776",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. This issue affects Pandora FMS: from 700 through \u003c776.\n\n"
},
{
"lang": "es",
"value": "Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de Comando SQL (\u0027Inyecci\u00f3n SQL\u0027) en Pandora FMS en todos permite CVE-2008-5817. Esta vulnerabilidad permiti\u00f3 realizar cambios de SQL en varios archivos del m\u00f3dulo Grafana. Este problema afecta a Pandora FMS: desde 700 hasta \u0026lt;776."
}
],
"id": "CVE-2023-44090",
"lastModified": "2025-09-16T15:47:59.907",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.3,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-19T17:15:08.563",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-30 20:15
Modified
2024-11-21 06:09
Severity ?
Summary
In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://k4m1ll0.com/cve-2021-34075.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://k4m1ll0.com/cve-2021-34075.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE4B911-6917-4541-86C1-1EB02EDE2A2A",
"versionEndIncluding": "754",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS \u003c=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access."
},
{
"lang": "es",
"value": "En Artica Pandora FMS versiones anteriores a 754 incluy\u00e9ndola, en el componente File Manager, presenta informaci\u00f3n confidencial expuesta en el lado del cliente a la que los atacantes pueden acceder"
}
],
"id": "CVE-2021-34075",
"lastModified": "2024-11-21T06:09:52.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-30T20:15:07.980",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2021-34075.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2021-34075.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-23 15:15
Modified
2024-11-21 05:38
Severity ?
Summary
In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://k4m1ll0.com/cve-2020-8497.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://k4m1ll0.com/cve-2020-8497.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "606D7AE8-250D-4B3B-B627-D8B4E05E7D3A",
"versionEndIncluding": "7.42",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps."
},
{
"lang": "es",
"value": "En Artica Pandora FMS versiones hasta 7.42, un atacante no autenticado puede leer el historial de chat. El archivo est\u00e1 en formato JSON y contiene nombres de usuario, los ID de usuario, mensajes privados y marcas de tiempo."
}
],
"id": "CVE-2020-8497",
"lastModified": "2024-11-21T05:38:56.883",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-23T15:15:14.830",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2020-8497.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2020-8497.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-07 04:15
Modified
2024-11-21 06:06
Severity ?
Summary
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | Exploit, Third Party Advisory | |
| cve@mitre.org | https://pandorafms.com/blog/whats-new-in-pandora-fms-743/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pandorafms.com/blog/whats-new-in-pandora-fms-743/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 742 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:742:*:*:*:*:*:*:*",
"matchCriteriaId": "53DEF19B-A126-49DE-99FB-3B7B491CA9C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization."
},
{
"lang": "es",
"value": "Artica Pandora FMS 742, permite a atacantes no autenticados llevar a cabo una deserializaci\u00f3n Phar"
}
],
"id": "CVE-2021-32098",
"lastModified": "2024-11-21T06:06:50.260",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-07T04:15:07.270",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "La vulnerabilidad de Neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Pandora FMS permite en todos los casos Cross-Site Scripting (XSS). Esta vulnerabilidad permite a un atacante secuestrar cookies e iniciar sesi\u00f3n como ese usuario sin necesidad de credenciales. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41789",
"lastModified": "2024-11-21T08:21:41.400",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:08.583",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in some Widgets' text box. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in some Widgets\u0027 text box. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "La vulnerabilidad de Neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Pandora FMS permite en todos los casos Cross-Site Scripting (XSS). Esta vulnerabilidad permit\u00eda ejecutar c\u00f3digo Javascript en el cuadro de texto de algunos Widgets. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41810",
"lastModified": "2024-11-21T08:21:43.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 3.4,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:09.827",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-10 15:15
Modified
2025-09-16 15:52
Severity ?
Summary
System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 through <777.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A805FD56-3664-44B0-BFB1-EFC175DDE616",
"versionEndExcluding": "777",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "System command injection through Netflow function\u00a0due to improper input validation, allowing attackers to execute arbitrary system commands.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
},
{
"lang": "es",
"value": "Inyecci\u00f3n de comandos del sistema a trav\u00e9s de la funci\u00f3n Netflow debido a una validaci\u00f3n de entrada incorrecta, lo que permite a los atacantes ejecutar comandos arbitrarios del sistema. Este problema afecta a Pandora FMS: desde 700 hasta \u0026lt;777."
}
],
"id": "CVE-2024-35304",
"lastModified": "2025-09-16T15:52:02.563",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
},
"published": "2024-06-10T15:15:51.430",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-07 04:15
Modified
2024-11-21 06:06
Severity ?
Summary
A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | Exploit, Third Party Advisory | |
| cve@mitre.org | https://pandorafms.com/blog/whats-new-in-pandora-fms-743/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pandorafms.com/blog/whats-new-in-pandora-fms-743/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 742 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:742:*:*:*:*:*:*:*",
"matchCriteriaId": "53DEF19B-A126-49DE-99FB-3B7B491CA9C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user."
},
{
"lang": "es",
"value": "Se presenta vulnerabilidad de inclusi\u00f3n remota de archivos en Artica Pandora FMS 742, explotable por el usuario menos privilegiado"
}
],
"id": "CVE-2021-32100",
"lastModified": "2024-11-21T06:06:50.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-07T04:15:07.350",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-17 10:15
Modified
2025-09-16 15:55
Severity ?
Summary
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@pandorafms.com | https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "20B79698-C22C-449D-BA89-AC9366168456",
"versionEndExcluding": "777.8",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6"
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n incorrecta de elementos especiales utilizados en una vulnerabilidad de comando permite la inyecci\u00f3n de comandos del sistema operativo. Este problema afecta a Pandora FMS de 700 a 777.6"
}
],
"id": "CVE-2024-12971",
"lastModified": "2025-09-16T15:55:43.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
},
"published": "2025-03-17T10:15:14.797",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability causes that a bad privilege assignment could cause a DOS attack that affects the availability of the Pandora FMS server. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability causes that a bad privilege assignment could cause a DOS attack that affects the availability of the Pandora FMS server. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "Vulnerabilidad de Gesti\u00f3n de Privilegios inadecuada en todo Pandora FMS permite Escalada de Privilegios. Esta vulnerabilidad provoca que una mala asignaci\u00f3n de privilegios pueda provocar un ataque DOS que afecte a la disponibilidad del servidor de Pandora FMS. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41806",
"lastModified": "2024-11-21T08:21:42.997",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:09.287",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:35
Severity ?
7.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS <= 772.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E6C2D47-FC03-4430-BEE8-2183D4876B67",
"versionEndExcluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS \u003c= 772."
},
{
"lang": "es",
"value": "Los archivos de copia de seguridad del registro Cron contienen ID de sesi\u00f3n de administrador. Es trivial para cualquier atacante que pueda acceder a Pandora FMS Console y extraer el directorio de registros cron para realizar copias de seguridad de los registros Cron. Luego se puede abusar del contenido de estos archivos de registro para autenticarse en la aplicaci\u00f3n como administrador. Este problema afecta a Pandora FMS \u0026lt;= 772."
}
],
"id": "CVE-2023-4677",
"lastModified": "2024-11-21T08:35:39.970",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.7,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:10.410",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-17 10:15
Modified
2025-09-16 15:53
Severity ?
Summary
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE.
This issue affects Pandora FMS from 700 to 777.6
.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@pandorafms.com | https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "20B79698-C22C-449D-BA89-AC9366168456",
"versionEndExcluding": "777.8",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. \n\nThis issue affects Pandora FMS from 700 to 777.6\n\n."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n incorrecta de elementos especiales utilizados en una vulnerabilidad de comando permite la inyecci\u00f3n de comandos del sistema operativo mediante RCE. Este problema afecta a Pandora FMS desde la versi\u00f3n 700 hasta la 777.6."
}
],
"id": "CVE-2024-12992",
"lastModified": "2025-09-16T15:53:40.650",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
},
"published": "2025-03-17T10:15:16.053",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-10 15:15
Modified
2025-09-16 15:53
Severity ?
Summary
OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A805FD56-3664-44B0-BFB1-EFC175DDE616",
"versionEndExcluding": "777",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
},
{
"lang": "es",
"value": "La inyecci\u00f3n de comandos del sistema operativo en archivos PHP Ajax a trav\u00e9s de una solicitud HTTP, permite ejecutar comandos del sistema explotando variables. Este problema afecta a Pandora FMS: desde 700 hasta \u0026lt;777."
}
],
"id": "CVE-2024-35306",
"lastModified": "2025-09-16T15:53:01.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "RED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
},
"published": "2024-06-10T15:15:51.700",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-23 16:15
Modified
2024-11-21 05:38
Severity ?
Summary
In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://k4m1ll0.com/cve-2020-8511.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://k4m1ll0.com/cve-2020-8511.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "606D7AE8-250D-4B3B-B627-D8B4E05E7D3A",
"versionEndIncluding": "7.42",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500."
},
{
"lang": "es",
"value": "En Artica Pandora FMS versiones hasta 7.42, usuarios de Web Admin pueden ejecutar c\u00f3digo arbitrario cargando un archivo .php por medio del componente File Repository, un problema diferente de CVE-2020-7935 y CVE-2020-8500."
}
],
"id": "CVE-2020-8511",
"lastModified": "2024-11-21T05:38:58.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-23T16:15:17.797",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2020-8511.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2020-8511.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-30 16:15
Modified
2024-11-21 04:37
Severity ?
Summary
Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a "tricky" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://k4m1ll0.com/cve-2019-20050.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://k4m1ll0.com/cve-2019-20050.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.42 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.42:*:*:*:*:*:*:*",
"matchCriteriaId": "262F864F-F93B-4F34-A39A-5EF8FD7E0A0D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pandora FMS \u2264 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a \"tricky\" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type."
},
{
"lang": "es",
"value": "Pandora FMS anterior o igual a la versi\u00f3n 7.42, sufre de una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo remota. Para explotar la vulnerabilidad, un usuario autenticado debe crear una nueva carpeta con un nombre \"tricky\" en el administrador de archivos. La explotaci\u00f3n funciona cuando la extensi\u00f3n php-fileinfo est\u00e1 deshabilitada en el sistema host. El atacante necesita incluir metacaracteres de shell en el tipo de contenido."
}
],
"id": "CVE-2019-20050",
"lastModified": "2024-11-21T04:37:57.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.1,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-30T16:15:11.690",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2019-20050.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2019-20050.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
8.4 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "La vulnerabilidad de Neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Pandora FMS permite en todos los casos Cross-Site Scripting (XSS). Esta vulnerabilidad permiti\u00f3 a los usuarios con privilegios bajos introducir ejecutables de Javascript a trav\u00e9s de una cadena de traducci\u00f3n que podr\u00eda afectar la integridad de algunos archivos de configuraci\u00f3n. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41791",
"lastModified": "2024-11-21T08:21:41.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:08.930",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-27 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60CEE4B3-B2D2-4823-B626-214B2ED406DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed."
},
{
"lang": "es",
"value": "En Artica Pandora FMS 7.0, un atacante con permiso de escritura puede crear un agente con una carga \u00fatil XSS. Cuando un usuario entre en la p\u00e1gina de definiciones del agente, el script se ejecutar\u00e1."
}
],
"id": "CVE-2017-15936",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-27T20:29:01.980",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
5.3 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the news section of the web console. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the news section of the web console. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "La vulnerabilidad de Neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Pandora FMS permite en todos los casos Cross-Site Scripting (XSS). Esta vulnerabilidad permit\u00eda ejecutar c\u00f3digo Javascript en la secci\u00f3n de noticias de la consola web. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41811",
"lastModified": "2024-11-21T08:21:43.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 4.7,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:10.000",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-07 04:15
Modified
2024-11-21 06:06
Severity ?
Summary
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | Exploit, Third Party Advisory | |
| cve@mitre.org | https://pandorafms.com/blog/whats-new-in-pandora-fms-743/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pandorafms.com/blog/whats-new-in-pandora-fms-743/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 742 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:742:*:*:*:*:*:*:*",
"matchCriteriaId": "53DEF19B-A126-49DE-99FB-3B7B491CA9C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en el componente pandora_console de Artica Pandora FMS, permite a un atacante no autenticado actualizar su sesi\u00f3n sin privilegios por medio del par\u00e1metro session_id en el archivo /include/chart_generator.php, conllevando a un desv\u00edo de inicio de sesi\u00f3n"
}
],
"id": "CVE-2021-32099",
"lastModified": "2024-11-21T06:06:50.410",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-07T04:15:07.310",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-27 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60CEE4B3-B2D2-4823-B626-214B2ED406DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page\u0027s graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX)."
},
{
"lang": "es",
"value": "Artica Pandora FMS 7.0 fuga un nombre completo de ruta de instalaci\u00f3n mediante datos GET cuando se intercepta la llamada a la gr\u00e1fica de la p\u00e1gina principal. Esto tambi\u00e9n implica la fuga de la informaci\u00f3n general del sistema operativo (por ejemplo, un nombre de ruta /var/www pathname suele indicar que es Linux o UNIX)."
}
],
"id": "CVE-2017-15937",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-27T20:29:02.247",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-19 17:15
Modified
2025-09-16 15:51
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Pandora FMS on all allows OS Command Injection. This vulnerability allowed to create a reverse shell and execute commands in the OS. This issue affects Pandora FMS: from 700 through <776.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43E82BDE-56AE-494A-8C82-C7E4157390AF",
"versionEndExcluding": "776",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Pandora FMS on all allows OS Command Injection.\u00a0This vulnerability allowed to create a reverse shell and execute commands in the OS.\u00a0This issue affects Pandora FMS: from 700 through \u003c776."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del sistema operativo (\u0027inyecci\u00f3n de comando del sistema operativo\u0027) en Pandora FMS en todos permite la inyecci\u00f3n de comando del sistema operativo. Esta vulnerabilidad permiti\u00f3 crear un shell inverso y ejecutar comandos en el sistema operativo. Este problema afecta a Pandora FMS: desde 700 hasta \u0026lt;776."
}
],
"id": "CVE-2023-44092",
"lastModified": "2025-09-16T15:51:17.473",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-19T17:15:08.980",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-19 17:15
Modified
2025-09-16 15:15
Severity ?
6.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
: Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43E82BDE-56AE-494A-8C82-C7E4157390AF",
"versionEndExcluding": "776",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": ": Path Traversal vulnerability in Pandora FMS on all allows Path Traversal.\u00a0This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories.\u00a0This issue affects Pandora FMS: from 700 through \u003c776."
},
{
"lang": "es",
"value": "Vulnerabilidad de Path Traversal en Pandora FMS en todos permite Path Traversal. Esta vulnerabilidad permit\u00eda cambiar directorios y crear archivos y descargarlos fuera de los directorios permitidos. Este problema afecta a Pandora FMS: desde 700 hasta \u0026lt;776."
}
],
"id": "CVE-2023-41793",
"lastModified": "2025-09-16T15:15:05.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.5,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-19T17:15:08.263",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-35"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-27 08:15
Modified
2025-09-16 13:25
Severity ?
Summary
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@pandorafms.com | https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFBF38ED-86D8-4C5B-A879-F97A77D06097",
"versionEndIncluding": "778",
"versionStartIncluding": "774",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778"
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n incorrecta de elementos especiales en el campo de directorio Netflow puede permitir la inyecci\u00f3n de comandos del sistema operativo. Este problema afecta a Pandora FMS 774 a 778."
}
],
"id": "CVE-2025-5306",
"lastModified": "2025-09-16T13:25:41.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
},
"published": "2025-06-27T08:15:22.277",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-02 17:13
Modified
2025-04-11 00:51
Severity ?
Summary
operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * | |
| artica | pandora_fms | 1.2 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3.1 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.1 | |
| artica | pandora_fms | 2.1.1 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A972A8C1-4418-457A-B333-31CBFEA87F43",
"versionEndIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5F58083-665E-40CE-94E8-AF46BD41E2B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C4153C42-C38B-4DF8-9C24-2060FB18F370",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "2544AF2E-0BA3-409F-9AF4-7B42751C8E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*",
"matchCriteriaId": "95734EBF-826B-43B9-B790-111329AB8581",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "34FB9160-6109-4C68-B8C2-E9FF5FA1E783",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A7220D9B-1FAB-4265-90D9-87630AE906B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F912B082-3834-462C-956E-5003E5CDF624",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE24C15F-4653-46CB-9C8F-6DE942154B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "1464A86D-222B-49BD-A4F5-9AE5AD57E016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CAF92EC0-0616-4F17-9588-70C22C69A579",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "69446BEE-365D-49B5-9AEC-268AA93D8E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD917088-E151-4EC1-94AE-2D3F2F3A600B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8BBEA8F8-E1FB-4C62-91FD-67EBD5006F96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "98406056-AD7A-4A54-80B8-280E197F90ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B32CC8A6-A253-4DD2-867C-DCE583F073E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php."
},
{
"lang": "es",
"value": "operaci\u00f3n/agentes/networkmap.php en Pandora FMS anterior a v3.1.1 permite a usuarios remotos autenticados ejecutar c\u00f3digo arbitrario a trav\u00e9s de meta-caracteres de shell en el par\u00e1metro layout en una acci\u00f3n operation/agentes/networkmap para index.php"
}
],
"id": "CVE-2010-4278",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-02T17:13:55.740",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69550"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15640"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69550"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15640"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-19 17:15
Modified
2025-09-16 15:49
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL Injection. This ulnerability allowed SQL injections to be made even if authentication failed.This issue affects Pandora FMS: from 700 through <776.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43E82BDE-56AE-494A-8C82-C7E4157390AF",
"versionEndExcluding": "776",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Pandora FMS on all allows SQL Injection.\u00a0This ulnerability allowed SQL injections to be made even if authentication failed.This issue affects Pandora FMS: from 700 through \u003c776."
},
{
"lang": "es",
"value": "La neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de Comando SQL (\u0027Inyecci\u00f3n SQL\u0027) en Pandora FMS en todos permite la Inyecci\u00f3n SQL. Esta vulnerabilidad permit\u00eda realizar inyecciones SQL incluso si fallaba la autenticaci\u00f3n. Este problema afecta a Pandora FMS: de 700 a \u0026lt;776."
}
],
"id": "CVE-2023-44091",
"lastModified": "2025-09-16T15:49:46.410",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-19T17:15:08.780",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-12 18:15
Modified
2024-11-21 05:39
Severity ?
Summary
functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://engindemirbilek.github.io/pandorafms-rce | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://engindemirbilek.github.io/pandorafms-rce | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html | Exploit |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60CEE4B3-B2D2-4823-B626-214B2ED406DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224."
},
{
"lang": "es",
"value": "El archivo functions_netflow.php en Artica Pandora FMS versi\u00f3n 7.0, permite a atacantes remotos ejecutar comandos arbitrarios de Sistema Operativo por medio de metacaracteres de shell en el par\u00e1metro ip_dst, dst_port, o src_port de index.php?operation/netflow/nf_live_view, una vulnerabilidad diferente de CVE-2019-20224."
}
],
"id": "CVE-2020-8947",
"lastModified": "2024-11-21T05:39:43.243",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-12T18:15:10.580",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://engindemirbilek.github.io/pandorafms-rce"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://engindemirbilek.github.io/pandorafms-rce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-16 01:29
Modified
2024-11-21 03:42
Severity ?
Summary
Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.hackercat.ninja/post/pandoras_box/ | Third Party Advisory | |
| cve@mitre.org | https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.hackercat.ninja/post/pandoras_box/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C3D1EF5-33AF-4478-ADBA-5A7CB1DECD3A",
"versionEndIncluding": "7.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint."
},
{
"lang": "es",
"value": "Inclusi\u00f3n de archivos locales en Artica Pandora FMS hasta la versi\u00f3n 7.23 permite que un atacante llame a cualquier archivo php mediante el endpoint de ajax /pandora_console/ajax.php."
}
],
"id": "CVE-2018-11222",
"lastModified": "2024-11-21T03:42:56.047",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-16T01:29:05.240",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-10 15:15
Modified
2025-09-16 15:56
Severity ?
Summary
Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora FMS: from 700 through <777.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A805FD56-3664-44B0-BFB1-EFC175DDE616",
"versionEndExcluding": "777",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Argument Injection Leading to Remote Code Execution in Realtime Graph Extension,\u00a0allowing unauthenticated attackers to execute arbitrary code on the server.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
},
{
"lang": "es",
"value": "Inyecci\u00f3n de argumentos que conduce a la ejecuci\u00f3n remota de c\u00f3digo en Realtime Graph Extension, lo que permite a atacantes no autenticados ejecutar c\u00f3digo arbitrario en el servidor. Este problema afecta a Pandora FMS: desde 700 hasta \u0026lt;777."
}
],
"id": "CVE-2024-35307",
"lastModified": "2025-09-16T15:56:22.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
},
"published": "2024-06-10T15:15:51.803",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-88"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-26 16:15
Modified
2024-11-21 04:35
Severity ?
Summary
Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60CEE4B3-B2D2-4823-B626-214B2ED406DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands"
},
{
"lang": "es",
"value": "** EN DISPUTA ** Pandora FMS 7.x sufre de vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo. Con un usuario autenticado que puede modificar el sistema de alerta, es posible definir y ejecutar comandos como root / Administrador. NOTA: El proveedor del producto afirma que la vulnerabilidad tal como se describe no es en realidad una vulnerabilidad real. Afirman que para poder crear comandos de alerta, debe tener derechos de administrador. Tambi\u00e9n afirman que el sistema ACL extendido puede inhabilitar el acceso a secciones espec\u00edficas de la configuraci\u00f3n, como definir nuevos comandos de alerta."
}
],
"id": "CVE-2019-19681",
"lastModified": "2024-11-21T04:35:10.880",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-26T16:15:10.857",
"references": [
{
"source": "cve@mitre.org",
"url": "https://k4m1ll0.com/cve-2019-19681.html"
},
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40k4m1ll0/remote-code-execution-vulnerability-in-pandorafms-7-x-8ce55d4b1d5a"
},
{
"source": "cve@mitre.org",
"url": "https://pandorafms.com/blog/pandora-fms-vulnerability/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://k4m1ll0.com/cve-2019-19681.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40k4m1ll0/remote-code-execution-vulnerability-in-pandorafms-7-x-8ce55d4b1d5a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://pandorafms.com/blog/pandora-fms-vulnerability/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the SNMP Trap Editor. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the SNMP Trap Editor. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "La vulnerabilidad Cross-Site Request Forgery (CSRF) en Pandora FMS permite en todos los casos Cross-Site Scripting (XSS). Esta vulnerabilidad permit\u00eda que se ejecutara c\u00f3digo Javascript en el Editor de capturas SNMP. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41792",
"lastModified": "2024-11-21T08:21:41.810",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 3.7,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:09.113",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-02 16:15
Modified
2024-11-21 05:38
Severity ?
Summary
In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.42 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.42:*:*:*:*:*:*:*",
"matchCriteriaId": "262F864F-F93B-4F34-A39A-5EF8FD7E0A0D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality"
},
{
"lang": "es",
"value": "** EN DISPUTA ** En Artica Pandora FMS 7.42, los usuarios de Web Admin pueden ejecutar c\u00f3digo arbitrario cargando un archivo .php a trav\u00e9s del componente Updater o Extension. NOTA: El proveedor informa que esta es la funcionalidad prevista."
}
],
"id": "CVE-2020-8500",
"lastModified": "2024-11-21T05:38:57.143",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-02T16:15:12.503",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2020-8500.html"
},
{
"source": "cve@mitre.org",
"url": "https://pandorafms.com/downloads/extension-uploader-feature-explained.mp4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2020-8500.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://pandorafms.com/downloads/extension-uploader-feature-explained.mp4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows an unauthorised user to escalate and read sensitive files as if they were root. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows an unauthorised user to escalate and read sensitive files as if they were root. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "Vulnerabilidad de Gesti\u00f3n de Privilegios inadecuada en todo Pandora FMS permite Escalada de Privilegios. Esta vulnerabilidad permite a un usuario no autorizado escalar y leer archivos confidenciales como si fueran root. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41808",
"lastModified": "2024-11-21T08:21:43.260",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:09.650",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-03 12:15
Modified
2024-11-21 06:13
Severity ?
Summary
With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be executed with an HTTP request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://artica.com | Vendor Advisory | |
| cve@mitre.org | http://pandora.com | Vendor Advisory | |
| cve@mitre.org | https://k4m1ll0.com/chained_exploit_htaccess.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://artica.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pandora.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://k4m1ll0.com/chained_exploit_htaccess.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "54FE731D-679E-4264-A9F9-282F104696E0",
"versionEndIncluding": "755",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "With an admin account, the .htaccess file in Artica Pandora FMS \u003c=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new \"file type\" and the code can be executed with an HTTP request."
},
{
"lang": "es",
"value": "Con una cuenta de administrador, el fichero .htaccess en Artica Pandora FMS versiones anteriores a 755 incluy\u00e9ndola, puede ser sobrescrito con el componente File Manager. El nuevo fichero .htaccess contiene una Regla de Reescritura con una definici\u00f3n de tipo. Un archivo PHP normal puede ser cargado con este nuevo \"file type\" y el c\u00f3digo puede ser ejecutado con una petici\u00f3n HTTP"
}
],
"id": "CVE-2021-36697",
"lastModified": "2024-11-21T06:13:56.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-03T12:15:07.643",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://artica.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://pandora.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://artica.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://pandora.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-02 17:15
Modified
2025-04-11 00:51
Severity ?
Summary
PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * | |
| artica | pandora_fms | 1.2 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3.1 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.1 | |
| artica | pandora_fms | 2.1.1 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A972A8C1-4418-457A-B333-31CBFEA87F43",
"versionEndIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5F58083-665E-40CE-94E8-AF46BD41E2B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C4153C42-C38B-4DF8-9C24-2060FB18F370",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "2544AF2E-0BA3-409F-9AF4-7B42751C8E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*",
"matchCriteriaId": "95734EBF-826B-43B9-B790-111329AB8581",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "34FB9160-6109-4C68-B8C2-E9FF5FA1E783",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A7220D9B-1FAB-4265-90D9-87630AE906B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F912B082-3834-462C-956E-5003E5CDF624",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE24C15F-4653-46CB-9C8F-6DE942154B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "1464A86D-222B-49BD-A4F5-9AE5AD57E016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CAF92EC0-0616-4F17-9588-70C22C69A579",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "69446BEE-365D-49B5-9AEC-268AA93D8E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD917088-E151-4EC1-94AE-2D3F2F3A600B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8BBEA8F8-E1FB-4C62-91FD-67EBD5006F96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "98406056-AD7A-4A54-80B8-280E197F90ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B32CC8A6-A253-4DD2-867C-DCE583F073E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inclusi\u00f3n remota de archivo PHP en extras/pandora_diag.php en Pandora FMS anterior a v3.1.1 permite a atacantes remotos ejecutar c\u00f3digo PHP de su elecci\u00f3n a trav\u00e9s de la URL en el par\u00e1metro argv[1]."
}
],
"id": "CVE-2010-4283",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-02T17:15:00.630",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69542"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15643"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69542"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-16 01:29
Modified
2024-11-21 03:42
Severity ?
Summary
Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via include/ajax/update_manager.ajax in the update system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C3D1EF5-33AF-4478-ADBA-5A7CB1DECD3A",
"versionEndIncluding": "7.23",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via include/ajax/update_manager.ajax in the update system."
},
{
"lang": "es",
"value": "Subida de archivos no fiables sin autenticaci\u00f3n en Artica Pandora FMS hasta la versi\u00f3n 7.23 permite que un atacante suba un plugin arbitrario mediante include/ajax/update_manager.ajax en el sistema de actualizaci\u00f3n."
}
],
"id": "CVE-2018-11221",
"lastModified": "2024-11-21T03:42:55.893",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-16T01:29:05.193",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-27 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "60CEE4B3-B2D2-4823-B626-214B2ED406DE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file."
},
{
"lang": "es",
"value": "Artica Pandora FMS 7.0 es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo PHP mediante la funci\u00f3n manager files. Esto solo es explotable por administradores que suban un archivo PHP."
}
],
"id": "CVE-2017-15935",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-27T20:29:01.713",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BFBB222-690E-4B0B-B345-40BCB34BC8FE",
"versionEndExcluding": "774",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "La carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Pandora FMS permite acceder a funcionalidades no correctamente restringidas por ACL. Esta vulnerabilidad permite a los atacantes ejecutar c\u00f3digo mediante la carga de archivos PHP. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41788",
"lastModified": "2024-11-21T08:21:41.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:08.407",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allowed PHP executable files to be uploaded through the file manager. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4BFBB222-690E-4B0B-B345-40BCB34BC8FE",
"versionEndExcluding": "774",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allowed PHP executable files to be uploaded through the file manager. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "La carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Pandora FMS permite acceder a funcionalidades no correctamente restringidas por ACL. Esta vulnerabilidad permit\u00eda cargar archivos ejecutables PHP a trav\u00e9s del administrador de archivos. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41812",
"lastModified": "2024-11-21T08:21:43.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 4.7,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:10.170",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows a user to escalate permissions on the system shell. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows a user to escalate permissions on the system shell. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "Vulnerabilidad de Gesti\u00f3n de Privilegios inadecuada en todo Pandora FMS permite Escalada de Privilegios. Esta vulnerabilidad permite a un usuario escalar permisos en el shell del sistema. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41807",
"lastModified": "2024-11-21T08:21:43.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:09.470",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-09 16:15
Modified
2024-11-21 04:38
Severity ?
Summary
netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.0_ng |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.0_ng:*:*:*:*:*:*:*",
"matchCriteriaId": "B552ED8D-00AC-4DBF-B654-592C561E73AB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742."
},
{
"lang": "es",
"value": "netflow_get_stats en functions_netflow.php en Pandora FMS 7.0NG permite a los usuarios identificados remotos ejecutar comandos arbitrarios del sistema operativo a trav\u00e9s de metacaracteres de shell en el par\u00e1metro ip_src en una solicitud index.php operation / netflow / nf_live_view. Este problema se ha solucionado en Pandora FMS 7.0 NG 742."
}
],
"id": "CVE-2019-20224",
"lastModified": "2024-11-21T04:38:14.693",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-09T16:15:10.660",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharing"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9"
},
{
"source": "cve@mitre.org",
"url": "https://pandorafms.com/downloads/solved-pandorafms-742.mp4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharing"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://pandorafms.com/downloads/solved-pandorafms-742.mp4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-03 12:15
Modified
2024-11-21 06:13
Severity ?
Summary
Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://artica.com | Vendor Advisory | |
| cve@mitre.org | http://pandora.com | Vendor Advisory | |
| cve@mitre.org | https://k4m1ll0.com/chained_exploit_htaccess.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://artica.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pandora.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://k4m1ll0.com/chained_exploit_htaccess.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "54FE731D-679E-4264-A9F9-282F104696E0",
"versionEndIncluding": "755",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name."
},
{
"lang": "es",
"value": "Pandora FMS versiones hasta 755, permite un ataque de tipo XSS por medio de un nuevo Filtro de Eventos con un nombre dise\u00f1ado"
}
],
"id": "CVE-2021-36698",
"lastModified": "2024-11-21T06:13:56.170",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-03T12:15:07.687",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://artica.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://pandora.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://artica.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://pandora.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-02 17:15
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * | |
| artica | pandora_fms | 1.2 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3.1 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.1 | |
| artica | pandora_fms | 2.1.1 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A972A8C1-4418-457A-B333-31CBFEA87F43",
"versionEndIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5F58083-665E-40CE-94E8-AF46BD41E2B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C4153C42-C38B-4DF8-9C24-2060FB18F370",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "2544AF2E-0BA3-409F-9AF4-7B42751C8E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*",
"matchCriteriaId": "95734EBF-826B-43B9-B790-111329AB8581",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "34FB9160-6109-4C68-B8C2-E9FF5FA1E783",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A7220D9B-1FAB-4265-90D9-87630AE906B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F912B082-3834-462C-956E-5003E5CDF624",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE24C15F-4653-46CB-9C8F-6DE942154B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "1464A86D-222B-49BD-A4F5-9AE5AD57E016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CAF92EC0-0616-4F17-9588-70C22C69A579",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "69446BEE-365D-49B5-9AEC-268AA93D8E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD917088-E151-4EC1-94AE-2D3F2F3A600B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8BBEA8F8-E1FB-4C62-91FD-67EBD5006F96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "98406056-AD7A-4A54-80B8-280E197F90ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B32CC8A6-A253-4DD2-867C-DCE583F073E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de salto de directorio en FMS anterior a v3.1.1 permite a atacantes remotos incluir y ejecutar ficheros locales de su elecci\u00f3n mediante (1) el par\u00e1metro page para ajax.php o (2) el par\u00e1metro id para general/pandora_help.php, y permite a atacantes remotos incluir, ejecutar, crear, modificar, o borrar ficheros locales de su elecci\u00f3n mediante (3) el par\u00e1metro layout para operation/agentes/networkmap.php."
}
],
"id": "CVE-2010-4282",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-02T17:15:00.597",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69543"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69544"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69545"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15643"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69543"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69545"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
6.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows access to files with sensitive information. This issue affects Pandora FMS: from 700 through 772.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E6C2D47-FC03-4430-BEE8-2183D4876B67",
"versionEndExcluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows access to files with sensitive information. This issue affects Pandora FMS: from 700 through 772."
},
{
"lang": "es",
"value": "Vulnerabilidad no controlada del elemento de ruta de b\u00fasqueda en Pandora FMS permite aprovechar/manipular rutas de b\u00fasqueda de archivos de configuraci\u00f3n. Esta vulnerabilidad permite el acceso a archivos con informaci\u00f3n sensible. Este problema afecta a Pandora FMS: del 700 al 772."
}
],
"id": "CVE-2023-41787",
"lastModified": "2024-11-21T08:21:41.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 5.5,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:08.223",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-23 16:15
Modified
2024-11-21 05:38
Severity ?
Summary
Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://k4m1ll0.com/cve-2020-7935.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://k4m1ll0.com/cve-2020-7935.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "606D7AE8-250D-4B3B-B627-D8B4E05E7D3A",
"versionEndIncluding": "7.42",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access."
},
{
"lang": "es",
"value": "Artica Pandora FMS versiones hasta 7.42, es vulnerable a una ejecuci\u00f3n de c\u00f3digo PHP remota debido a un problema de Carga Sin Restricciones de un Archivo Con un Tipo Peligroso en el File Manager. Un atacante puede crear un directorio (o usar un directorio existente) que sea accesible externamente para almacenar archivos PHP. El nombre de archivo y la ruta exacta es conocida por el atacante, por lo que es posible ejecutar c\u00f3digo PHP en el contexto de la aplicaci\u00f3n. La vulnerabilidad es explotable solo con acceso de Administrador."
}
],
"id": "CVE-2020-7935",
"lastModified": "2024-11-21T05:38:02.450",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-23T16:15:17.737",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2020-7935.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://k4m1ll0.com/cve-2020-7935.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@pandorafms.com | https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | Broken Link, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | Broken Link, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E6C2D47-FC03-4430-BEE8-2183D4876B67",
"versionEndExcluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772."
},
{
"lang": "es",
"value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n sensible a un actor no autorizado en Pandora FMS en todos los casos que permite File Discovery. Esta vulnerabilidad permite a los usuarios con privilegios bajos descargar copias de seguridad de bases de datos. Este problema afecta a Pandora FMS: del 700 al 772."
}
],
"id": "CVE-2023-41786",
"lastModified": "2024-11-21T08:21:41.023",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:08.023",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-23 15:15
Modified
2024-11-21 08:21
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows to access the server configuration file and to compromise the database. This issue affects Pandora FMS: from 700 through 773.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E05376BB-16AE-4232-A35A-E733A286E625",
"versionEndIncluding": "773",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows to access the server configuration file and to compromise the database. This issue affects Pandora FMS: from 700 through 773."
},
{
"lang": "es",
"value": "Vulnerabilidad no controlada del elemento de ruta de b\u00fasqueda en Pandora FMS permite aprovechar/manipular rutas de b\u00fasqueda de archivos de configuraci\u00f3n. Esta vulnerabilidad permite acceder al archivo de configuraci\u00f3n del servidor y comprometer la base de datos. Este problema afecta a Pandora FMS: del 700 al 773."
}
],
"id": "CVE-2023-41790",
"lastModified": "2024-11-21T08:21:41.537",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 6.0,
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-23T15:15:08.757",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-02 17:15
Modified
2025-04-11 00:51
Severity ?
Summary
Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * | |
| artica | pandora_fms | 1.2 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3.1 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.1 | |
| artica | pandora_fms | 2.1.1 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A972A8C1-4418-457A-B333-31CBFEA87F43",
"versionEndIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5F58083-665E-40CE-94E8-AF46BD41E2B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C4153C42-C38B-4DF8-9C24-2060FB18F370",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "2544AF2E-0BA3-409F-9AF4-7B42751C8E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*",
"matchCriteriaId": "95734EBF-826B-43B9-B790-111329AB8581",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "34FB9160-6109-4C68-B8C2-E9FF5FA1E783",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A7220D9B-1FAB-4265-90D9-87630AE906B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F912B082-3834-462C-956E-5003E5CDF624",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE24C15F-4653-46CB-9C8F-6DE942154B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "1464A86D-222B-49BD-A4F5-9AE5AD57E016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CAF92EC0-0616-4F17-9588-70C22C69A579",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "69446BEE-365D-49B5-9AEC-268AA93D8E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD917088-E151-4EC1-94AE-2D3F2F3A600B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8BBEA8F8-E1FB-4C62-91FD-67EBD5006F96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "98406056-AD7A-4A54-80B8-280E197F90ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B32CC8A6-A253-4DD2-867C-DCE583F073E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character."
},
{
"lang": "es",
"value": "Vulnerabilidad de lista negra incompleta en la funci\u00f3n safe_url_extraclean en ajax.php en Pandora FMS anterior a v3.1.1 permite a atacantes remotos ejecutar c\u00f3digo PHP arbitrario mediante un par\u00e1metro de p\u00e1gina que contiene una ruta de acceso compartido UNC, que evita la verificaci\u00f3n para el car\u00e1cter : (dos puntos)"
}
],
"id": "CVE-2010-4281",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-02T17:15:00.567",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69546"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15643"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69546"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/15643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/45112"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-10 15:15
Modified
2025-09-16 15:52
Severity ?
Summary
Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A805FD56-3664-44B0-BFB1-EFC175DDE616",
"versionEndExcluding": "777",
"versionStartIncluding": "700",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
},
{
"lang": "es",
"value": "La inyecci\u00f3n SQL basada en tiempo Unauth en API permite explotar el encabezado de autorizaci\u00f3n de solicitud HTTP. Este problema afecta a Pandora FMS: desde 700 hasta \u0026lt;777."
}
],
"id": "CVE-2024-35305",
"lastModified": "2025-09-16T15:52:37.943",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
},
"published": "2024-06-10T15:15:51.583",
"references": [
{
"source": "security@pandorafms.com",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"sourceIdentifier": "security@pandorafms.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@pandorafms.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-02 05:15
Modified
2024-11-21 05:19
Severity ?
Summary
Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CFEAA33C-B321-4874-BD1F-60D5133DB26E",
"versionEndExcluding": "743",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter."
},
{
"lang": "es",
"value": "Artica Pandora FMS versiones anteriores a 743, permite a atacantes no autenticados conducir ataques de inyecci\u00f3n SQL por medio del par\u00e1metro session_id del archivo pandora_console/include/chart_generator.php"
}
],
"id": "CVE-2020-26518",
"lastModified": "2024-11-21T05:19:58.797",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-02T05:15:12.643",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-16 18:15
Modified
2024-11-21 05:34
Severity ?
Summary
index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/TheCyberGeek/CVE-2020-5844 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://pandorafms.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/TheCyberGeek/CVE-2020-5844 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://pandorafms.com | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | 7.0_ng |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:7.0_ng:*:*:*:*:*:*:*",
"matchCriteriaId": "B552ED8D-00AC-4DBF-B654-592C561E73AB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "index.php?sec=godmode/extensions\u0026sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020."
},
{
"lang": "es",
"value": "index.php?sec=godmode/extensions\u0026amp;sec2=extensions/files_repo en Pandora FMS versi\u00f3n v7.0 NG, permite a los administradores autenticados cargar scripts PHP maliciosos y ejecutarlos por medio de la decodificaci\u00f3n base64 de la ubicaci\u00f3n de archivo. Esto afecta a la versi\u00f3n v7.0NG.742_FIX_PERL2020."
}
],
"id": "CVE-2020-5844",
"lastModified": "2024-11-21T05:34:41.263",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-16T18:15:12.617",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/TheCyberGeek/CVE-2020-5844"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://pandorafms.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/TheCyberGeek/CVE-2020-5844"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://pandorafms.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-02 17:15
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| artica | pandora_fms | * | |
| artica | pandora_fms | 1.2 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3 | |
| artica | pandora_fms | 1.3.1 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.0 | |
| artica | pandora_fms | 2.1 | |
| artica | pandora_fms | 2.1.1 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.0 | |
| artica | pandora_fms | 3.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A972A8C1-4418-457A-B333-31CBFEA87F43",
"versionEndIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E5F58083-665E-40CE-94E8-AF46BD41E2B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C4153C42-C38B-4DF8-9C24-2060FB18F370",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "2544AF2E-0BA3-409F-9AF4-7B42751C8E56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*",
"matchCriteriaId": "95734EBF-826B-43B9-B790-111329AB8581",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "34FB9160-6109-4C68-B8C2-E9FF5FA1E783",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "A7220D9B-1FAB-4265-90D9-87630AE906B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F912B082-3834-462C-956E-5003E5CDF624",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE24C15F-4653-46CB-9C8F-6DE942154B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "1464A86D-222B-49BD-A4F5-9AE5AD57E016",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CAF92EC0-0616-4F17-9588-70C22C69A579",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "69446BEE-365D-49B5-9AEC-268AA93D8E2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD917088-E151-4EC1-94AE-2D3F2F3A600B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8BBEA8F8-E1FB-4C62-91FD-67EBD5006F96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "98406056-AD7A-4A54-80B8-280E197F90ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B32CC8A6-A253-4DD2-867C-DCE583F073E0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en Pandora FMS anterior a v3.1.1, permite a usuarios autenticados ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del (1) par\u00e1metro id_group en una acci\u00f3n operation/agentes/ver_agente para ajax.php o (2) el par\u00e1metro group_id en una acci\u00f3n operation/agentes/estado_agente para index.php, relacionado con operation/agentes/estado_agente.php."
}
],
"id": "CVE-2010-4280",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-02T17:15:00.537",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69547"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/69548"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/15641"
},
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/15642"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/45112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/69548"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/42347"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/15641"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/15642"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/45112"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-32098 (GCVE-0-2021-32098)
Vulnerability from cvelistv5
Published
2021-05-07 03:51
Modified
2024-08-03 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:29.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-07T03:51:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32098",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"name": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/",
"refsource": "MISC",
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"name": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack",
"refsource": "MISC",
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32098",
"datePublished": "2021-05-07T03:51:23",
"dateReserved": "2021-05-07T00:00:00",
"dateUpdated": "2024-08-03T23:17:29.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41791 (GCVE-0-2023-41791)
Vulnerability from cvelistv5
Published
2023-11-23 14:41
Modified
2025-06-03 14:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T14:10:15.878546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T14:10:44.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:41:46.802Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 in v772.2."
}
],
"value": "Fixed in v774 in v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Lack of Authorization and Stored XSS Via Translation Abuse",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41791",
"datePublished": "2023-11-23T14:41:46.802Z",
"dateReserved": "2023-09-01T11:54:47.539Z",
"dateUpdated": "2025-06-03T14:10:44.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35307 (GCVE-0-2024-35307)
Vulnerability from cvelistv5
Published
2024-06-10 14:33
Modified
2024-08-02 03:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Summary
Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora FMS: from 700 through <777.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < 777 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pandorafms:pandora_fms:700:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pandora_fms",
"vendor": "pandorafms",
"versions": [
{
"lessThan": "777",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35307",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T13:35:21.466902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T13:39:11.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThan": "777",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "u32i@proton.me"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Argument Injection Leading to Remote Code Execution in Realtime Graph Extension,\u0026nbsp;allowing unauthenticated attackers to execute arbitrary code on the server.\u0026nbsp;This issue affects Pandora FMS: from 700 through \u0026lt;777."
}
],
"value": "Argument Injection Leading to Remote Code Execution in Realtime Graph Extension,\u00a0allowing unauthenticated attackers to execute arbitrary code on the server.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T14:33:29.127Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed v777"
}
],
"value": "Fixed v777"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Argument Injection Leading to Remote Code Execution in Realtime Graph Extension",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2024-35307",
"datePublished": "2024-06-10T14:33:29.127Z",
"dateReserved": "2024-05-16T17:38:35.343Z",
"dateUpdated": "2024-08-02T03:07:46.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11222 (GCVE-0-2018-11222)
Vulnerability from cvelistv5
Published
2018-06-15 21:00
Modified
2024-08-05 08:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf | x_refsource_CONFIRM | |
| https://blog.hackercat.ninja/post/pandoras_box/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:01:52.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-06-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-11222",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf",
"refsource": "CONFIRM",
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
},
{
"name": "https://blog.hackercat.ninja/post/pandoras_box/",
"refsource": "MISC",
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-11222",
"datePublished": "2018-06-15T21:00:00",
"dateReserved": "2018-05-16T00:00:00",
"dateUpdated": "2024-08-05T08:01:52.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8497 (GCVE-0-2020-8497)
Vulnerability from cvelistv5
Published
2020-03-23 15:01
Modified
2024-08-04 10:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps.
References
| ▼ | URL | Tags |
|---|---|---|
| https://k4m1ll0.com/cve-2020-8497.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/cve-2020-8497.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-23T15:01:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/cve-2020-8497.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8497",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://k4m1ll0.com/cve-2020-8497.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/cve-2020-8497.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8497",
"datePublished": "2020-03-23T15:01:08",
"dateReserved": "2020-01-30T00:00:00",
"dateUpdated": "2024-08-04T10:03:46.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44091 (GCVE-0-2023-44091)
Vulnerability from cvelistv5
Published
2024-03-19 16:31
Modified
2024-08-02 19:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL Injection. This ulnerability allowed SQL injections to be made even if authentication failed.This issue affects Pandora FMS: from 700 through <776.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T19:13:28.748415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:19:21.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "\u003c776",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aleksey Solovev (Positive Technologies)"
}
],
"datePublic": "2024-03-19T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Pandora FMS on all allows SQL Injection.\u0026nbsp;This ulnerability allowed SQL injections to be made even if authentication failed.\u003cspan style=\"background-color: var(--darkreader-bg--wht);\"\u003eThis issue affects Pandora FMS: from 700 through \u0026lt;776.\u003c/span\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Pandora FMS on all allows SQL Injection.\u00a0This ulnerability allowed SQL injections to be made even if authentication failed.This issue affects Pandora FMS: from 700 through \u003c776."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T16:31:38.932Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nFixed in v776.\n\n\u003cbr\u003e"
}
],
"value": "\nFixed in v776.\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauth Time-Based SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-44091",
"datePublished": "2024-03-19T16:31:38.932Z",
"dateReserved": "2023-09-25T08:33:09.669Z",
"dateUpdated": "2024-08-02T19:52:11.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4280 (GCVE-0-2010-4280)
Vulnerability from cvelistv5
Published
2010-12-02 17:00
Modified
2024-08-07 03:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/42347 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/514939/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://osvdb.org/69548 | vdb-entry, x_refsource_OSVDB | |
| http://osvdb.org/69547 | vdb-entry, x_refsource_OSVDB | |
| http://www.exploit-db.com/exploits/15641 | exploit, x_refsource_EXPLOIT-DB | |
| http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/45112 | vdb-entry, x_refsource_BID | |
| http://seclists.org/fulldisclosure/2010/Nov/326 | mailing-list, x_refsource_FULLDISC | |
| http://www.exploit-db.com/exploits/15642 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:43:14.470Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69548",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69548"
},
{
"name": "69547",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69547"
},
{
"name": "15641",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15641"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15642",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15642"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69548",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69548"
},
{
"name": "69547",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69547"
},
{
"name": "15641",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15641"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15642",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15642"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4280",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "42347",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69548",
"refsource": "OSVDB",
"url": "http://osvdb.org/69548"
},
{
"name": "69547",
"refsource": "OSVDB",
"url": "http://osvdb.org/69547"
},
{
"name": "15641",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15641"
},
{
"name": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15642",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15642"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4280",
"datePublished": "2010-12-02T17:00:00",
"dateReserved": "2010-11-17T00:00:00",
"dateUpdated": "2024-08-07T03:43:14.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-19681 (GCVE-0-2019-19681)
Vulnerability from cvelistv5
Published
2019-12-26 15:59
Modified
2024-08-05 02:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/%40k4m1ll0/remote-code-execution-vulnerability-in-pandorafms-7-x-8ce55d4b1d5a | x_refsource_MISC | |
| https://pandorafms.com/blog/pandora-fms-vulnerability/ | x_refsource_MISC | |
| https://k4m1ll0.com/cve-2019-19681.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:25:12.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40k4m1ll0/remote-code-execution-vulnerability-in-pandorafms-7-x-8ce55d4b1d5a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pandorafms.com/blog/pandora-fms-vulnerability/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/cve-2019-19681.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-23T15:16:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40k4m1ll0/remote-code-execution-vulnerability-in-pandorafms-7-x-8ce55d4b1d5a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pandorafms.com/blog/pandora-fms-vulnerability/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/cve-2019-19681.html"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19681",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/@k4m1ll0/remote-code-execution-vulnerability-in-pandorafms-7-x-8ce55d4b1d5a",
"refsource": "MISC",
"url": "https://medium.com/@k4m1ll0/remote-code-execution-vulnerability-in-pandorafms-7-x-8ce55d4b1d5a"
},
{
"name": "https://pandorafms.com/blog/pandora-fms-vulnerability/",
"refsource": "MISC",
"url": "https://pandorafms.com/blog/pandora-fms-vulnerability/"
},
{
"name": "https://k4m1ll0.com/cve-2019-19681.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/cve-2019-19681.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-19681",
"datePublished": "2019-12-26T15:59:27",
"dateReserved": "2019-12-09T00:00:00",
"dateUpdated": "2024-08-05T02:25:12.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44092 (GCVE-0-2023-44092)
Vulnerability from cvelistv5
Published
2024-03-19 16:32
Modified
2024-08-02 19:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Pandora FMS on all allows OS Command Injection. This vulnerability allowed to create a reverse shell and execute commands in the OS. This issue affects Pandora FMS: from 700 through <776.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:artica:pandora_fms:700:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pandora_fms",
"vendor": "artica",
"versions": [
{
"lessThan": "776",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-20T14:31:18.246071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T14:44:44.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:59:50.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "\u003c776",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aleksey Solovev (Positive Technologies)"
}
],
"datePublic": "2024-03-19T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Pandora FMS on all allows OS Command Injection.\u0026nbsp;This vulnerability allowed to create a reverse shell and execute commands in the OS.\u0026nbsp;\u003cspan style=\"background-color: var(--darkreader-bg--wht);\"\u003eThis issue affects Pandora FMS: from 700 through \u0026lt;776.\u003c/span\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027) vulnerability in Pandora FMS on all allows OS Command Injection.\u00a0This vulnerability allowed to create a reverse shell and execute commands in the OS.\u00a0This issue affects Pandora FMS: from 700 through \u003c776."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T16:32:54.633Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v776."
}
],
"value": "Fixed in v776."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-44092",
"datePublished": "2024-03-19T16:32:54.633Z",
"dateReserved": "2023-09-25T08:33:09.669Z",
"dateUpdated": "2024-08-02T19:59:50.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32100 (GCVE-0-2021-32100)
Vulnerability from cvelistv5
Published
2021-05-07 03:51
Modified
2024-08-03 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:29.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-07T03:51:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32100",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"name": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/",
"refsource": "MISC",
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"name": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack",
"refsource": "MISC",
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32100",
"datePublished": "2021-05-07T03:51:05",
"dateReserved": "2021-05-07T00:00:00",
"dateUpdated": "2024-08-03T23:17:29.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8500 (GCVE-0-2020-8500)
Vulnerability from cvelistv5
Published
2020-03-02 15:03
Modified
2024-11-18 17:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality
References
| ▼ | URL | Tags |
|---|---|---|
| https://k4m1ll0.com/cve-2020-8500.html | x_refsource_MISC | |
| https://pandorafms.com/downloads/extension-uploader-feature-explained.mp4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:45.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/cve-2020-8500.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pandorafms.com/downloads/extension-uploader-feature-explained.mp4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-8500",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T17:48:06.906198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T17:48:20.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-02-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-09T14:30:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/cve-2020-8500.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pandorafms.com/downloads/extension-uploader-feature-explained.mp4"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8500",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://k4m1ll0.com/cve-2020-8500.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/cve-2020-8500.html"
},
{
"name": "https://pandorafms.com/downloads/extension-uploader-feature-explained.mp4",
"refsource": "MISC",
"url": "https://pandorafms.com/downloads/extension-uploader-feature-explained.mp4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8500",
"datePublished": "2020-03-02T15:03:22",
"dateReserved": "2020-01-31T00:00:00",
"dateUpdated": "2024-11-18T17:48:20.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5844 (GCVE-0-2020-5844)
Vulnerability from cvelistv5
Published
2020-03-16 17:22
Modified
2024-08-04 08:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com | x_refsource_MISC | |
| https://github.com/TheCyberGeek/CVE-2020-5844 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pandorafms.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TheCyberGeek/CVE-2020-5844"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "index.php?sec=godmode/extensions\u0026sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-20T05:06:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pandorafms.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TheCyberGeek/CVE-2020-5844"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-5844",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "index.php?sec=godmode/extensions\u0026sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pandorafms.com",
"refsource": "MISC",
"url": "https://pandorafms.com"
},
{
"name": "https://github.com/TheCyberGeek/CVE-2020-5844",
"refsource": "MISC",
"url": "https://github.com/TheCyberGeek/CVE-2020-5844"
},
{
"name": "http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-5844",
"datePublished": "2020-03-16T17:22:05",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:39:25.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41810 (GCVE-0-2023-41810)
Vulnerability from cvelistv5
Published
2023-11-23 14:52
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in some Widgets' text box. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in some Widgets\u0027 text box. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in some Widgets\u0027 text box. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:52:59.306Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 and v772.2."
}
],
"value": "Fixed in v774 and v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS Via Dashboard Panel",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41810",
"datePublished": "2023-11-23T14:52:59.306Z",
"dateReserved": "2023-09-01T12:10:03.869Z",
"dateUpdated": "2024-08-02T19:09:48.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4278 (GCVE-0-2010-4278)
Vulnerability from cvelistv5
Published
2010-12-02 17:00
Modified
2024-08-07 03:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/42347 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/514939/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://osvdb.org/69550 | vdb-entry, x_refsource_OSVDB | |
| http://www.exploit-db.com/exploits/15640 | exploit, x_refsource_EXPLOIT-DB | |
| http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/45112 | vdb-entry, x_refsource_BID | |
| http://seclists.org/fulldisclosure/2010/Nov/326 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:43:13.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69550",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69550"
},
{
"name": "15640",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15640"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69550",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69550"
},
{
"name": "15640",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15640"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4278",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "42347",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69550",
"refsource": "OSVDB",
"url": "http://osvdb.org/69550"
},
{
"name": "15640",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15640"
},
{
"name": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4278",
"datePublished": "2010-12-02T17:00:00",
"dateReserved": "2010-11-17T00:00:00",
"dateUpdated": "2024-08-07T03:43:13.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35306 (GCVE-0-2024-35306)
Vulnerability from cvelistv5
Published
2024-06-10 14:30
Modified
2024-08-02 03:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < 777 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pandora_fms:pandora_fms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "pandora_fms",
"vendor": "pandora_fms",
"versions": [
{
"lessThan": "777",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T17:34:28.554257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:42:02.806Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThan": "777",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksey Solovev (Positive Technologies)"
}
],
"datePublic": "2024-06-10T14:28:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables.\u0026nbsp;This issue affects Pandora FMS: from 700 through \u0026lt;777."
}
],
"value": "OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "RED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/AU:Y/R:U/RE:L/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T14:30:36.784Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed v777"
}
],
"value": "Fixed v777"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command injection in Ajax PHP files through HTTP Request",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2024-35306",
"datePublished": "2024-06-10T14:30:36.784Z",
"dateReserved": "2024-05-16T17:38:35.343Z",
"dateUpdated": "2024-08-02T03:07:46.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41806 (GCVE-0-2023-41806)
Vulnerability from cvelistv5
Published
2023-11-23 14:47
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability causes that a bad privilege assignment could cause a DOS attack that affects the availability of the Pandora FMS server. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability causes that a bad privilege assignment could cause a DOS attack that affects the availability of the Pandora FMS server. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability causes that a bad privilege assignment could cause a DOS attack that affects the availability of the Pandora FMS server. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:47:54.186Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 and v772.2."
}
],
"value": "Fixed in v774 and v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Misassignment of privileges can cause DOS attack",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41806",
"datePublished": "2023-11-23T14:47:54.186Z",
"dateReserved": "2023-09-01T12:10:03.868Z",
"dateUpdated": "2024-08-02T19:09:48.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4279 (GCVE-0-2010-4279)
Vulnerability from cvelistv5
Published
2010-12-02 17:00
Modified
2024-08-07 03:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/42347 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/514939/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/35731/ | exploit, x_refsource_EXPLOIT-DB | |
| http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/45112 | vdb-entry, x_refsource_BID | |
| http://www.exploit-db.com/exploits/15639 | exploit, x_refsource_EXPLOIT-DB | |
| http://seclists.org/fulldisclosure/2010/Nov/326 | mailing-list, x_refsource_FULLDISC | |
| http://osvdb.org/69549 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:43:13.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "35731",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/35731/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "15639",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15639"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "69549",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69549"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-11-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with \"admin\" in the loginhash_user parameter, in conjunction with the md5 hash of \"admin\" in the loginhash_data parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "35731",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/35731/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "15639",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15639"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "69549",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69549"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4279",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with \"admin\" in the loginhash_user parameter, in conjunction with the md5 hash of \"admin\" in the loginhash_data parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "42347",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download",
"refsource": "MISC",
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "35731",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/35731/"
},
{
"name": "http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/129830/Pandora-3.1-Auth-Bypass-Arbitrary-File-Upload.html"
},
{
"name": "45112",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "15639",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15639"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "69549",
"refsource": "OSVDB",
"url": "http://osvdb.org/69549"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4279",
"datePublished": "2010-12-02T17:00:00",
"dateReserved": "2010-11-17T00:00:00",
"dateUpdated": "2024-08-07T03:43:13.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8511 (GCVE-0-2020-8511)
Vulnerability from cvelistv5
Published
2020-03-23 15:12
Modified
2024-08-04 10:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500.
References
| ▼ | URL | Tags |
|---|---|---|
| https://k4m1ll0.com/cve-2020-8511.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:45.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/cve-2020-8511.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-23T15:12:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/cve-2020-8511.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8511",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://k4m1ll0.com/cve-2020-8511.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/cve-2020-8511.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8511",
"datePublished": "2020-03-23T15:12:00",
"dateReserved": "2020-01-31T00:00:00",
"dateUpdated": "2024-08-04T10:03:45.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5306 (GCVE-0-2025-5306)
Vulnerability from cvelistv5
Published
2025-06-27 07:48
Modified
2025-06-27 13:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 774 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5306",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-27T13:36:21.527912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T13:37:26.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "778",
"status": "affected",
"version": "774",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Martin Sutovsky, Security Researcher. Rapid 7"
}
],
"datePublic": "2025-06-27T07:46:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778"
}
],
"value": "Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/R:U/V:D/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T07:48:15.936Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 777.10 or 780 or higher"
}
],
"value": "Upgrade to version 777.10 or 780 or higher"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Command Injection in Netflow path",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2025-5306",
"datePublished": "2025-06-27T07:48:15.936Z",
"dateReserved": "2025-05-28T14:26:40.736Z",
"dateUpdated": "2025-06-27T13:37:26.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41793 (GCVE-0-2023-41793)
Vulnerability from cvelistv5
Published
2024-03-19 16:34
Modified
2024-08-02 19:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-35 - Path Traversal
Summary
: Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.016Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pandora_fms",
"vendor": "pandorafms",
"versions": [
{
"lessThanOrEqual": "776",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41793",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T19:21:08.499209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T19:22:18.510Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "\u003c776",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aleksey Solovev (Positive Technologies)"
}
],
"datePublic": "2024-03-19T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": ": Path Traversal vulnerability in Pandora FMS on all allows Path Traversal.\u0026nbsp;This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories.\u0026nbsp;\u003cspan style=\"background-color: var(--darkreader-bg--wht);\"\u003eThis issue affects Pandora FMS: from 700 through \u0026lt;776.\u003c/span\u003e"
}
],
"value": ": Path Traversal vulnerability in Pandora FMS on all allows Path Traversal.\u00a0This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories.\u00a0This issue affects Pandora FMS: from 700 through \u003c776."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "CWE-35: Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T16:34:48.358Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nFixed in v776.\n\n\u003cbr\u003e"
}
],
"value": "\nFixed in v776.\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path Traversal and Untrusted Upload File",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41793",
"datePublished": "2024-03-19T16:34:48.358Z",
"dateReserved": "2023-09-01T11:54:47.539Z",
"dateUpdated": "2024-08-02T19:22:18.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32099 (GCVE-0-2021-32099)
Vulnerability from cvelistv5
Published
2021-05-07 03:51
Modified
2024-08-03 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:17:28.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-07T03:51:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-32099",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
},
{
"name": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/",
"refsource": "MISC",
"url": "https://pandorafms.com/blog/whats-new-in-pandora-fms-743/"
},
{
"name": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack",
"refsource": "MISC",
"url": "https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-32099",
"datePublished": "2021-05-07T03:51:15",
"dateReserved": "2021-05-07T00:00:00",
"dateUpdated": "2024-08-03T23:17:28.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36698 (GCVE-0-2021-36698)
Vulnerability from cvelistv5
Published
2021-11-03 11:33
Modified
2024-08-04 01:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name.
References
| ▼ | URL | Tags |
|---|---|---|
| http://artica.com | x_refsource_MISC | |
| http://pandora.com | x_refsource_MISC | |
| https://k4m1ll0.com/chained_exploit_htaccess.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:58.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://artica.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pandora.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-03T11:33:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://artica.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pandora.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-36698",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://artica.com",
"refsource": "MISC",
"url": "http://artica.com"
},
{
"name": "http://pandora.com",
"refsource": "MISC",
"url": "http://pandora.com"
},
{
"name": "https://k4m1ll0.com/chained_exploit_htaccess.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-36698",
"datePublished": "2021-11-03T11:33:49",
"dateReserved": "2021-07-12T00:00:00",
"dateUpdated": "2024-08-04T01:01:58.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15935 (GCVE-0-2017-15935)
Vulnerability from cvelistv5
Published
2017-10-27 20:00
Modified
2024-08-05 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:05.926Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-27T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15935",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d",
"refsource": "MISC",
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15935",
"datePublished": "2017-10-27T20:00:00",
"dateReserved": "2017-10-27T00:00:00",
"dateUpdated": "2024-08-05T20:13:05.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4283 (GCVE-0-2010-4283)
Vulnerability from cvelistv5
Published
2010-12-02 17:00
Modified
2024-08-07 03:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/42347 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/514939/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download | x_refsource_CONFIRM | |
| http://osvdb.org/69542 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/45112 | vdb-entry, x_refsource_BID | |
| http://seclists.org/fulldisclosure/2010/Nov/326 | mailing-list, x_refsource_FULLDISC | |
| http://www.exploit-db.com/exploits/15643 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:43:13.709Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "69542",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69542"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15643"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "69542",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69542"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15643"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4283",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "42347",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "69542",
"refsource": "OSVDB",
"url": "http://osvdb.org/69542"
},
{
"name": "45112",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15643"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4283",
"datePublished": "2010-12-02T17:00:00",
"dateReserved": "2010-11-17T00:00:00",
"dateUpdated": "2024-08-07T03:43:13.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20050 (GCVE-0-2019-20050)
Vulnerability from cvelistv5
Published
2020-01-30 15:47
Modified
2024-08-05 02:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a "tricky" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type.
References
| ▼ | URL | Tags |
|---|---|---|
| https://k4m1ll0.com/cve-2019-20050.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.522Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/cve-2019-20050.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pandora FMS \u2264 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a \"tricky\" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-30T16:47:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/cve-2019-20050.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20050",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pandora FMS \u2264 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a \"tricky\" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://k4m1ll0.com/cve-2019-20050.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/cve-2019-20050.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20050",
"datePublished": "2020-01-30T15:47:32",
"dateReserved": "2019-12-27T00:00:00",
"dateUpdated": "2024-08-05T02:32:10.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41790 (GCVE-0-2023-41790)
Vulnerability from cvelistv5
Published
2023-11-23 14:38
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-427 - Uncontrolled Search Path Element
Summary
Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows to access the server configuration file and to compromise the database. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows to access the server configuration file and to compromise the database. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows to access the server configuration file and to compromise the database. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-38",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:38:45.504Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nFixed in v774 in v772.2.\n\n\u003cbr\u003e"
}
],
"value": "\nFixed in v774 in v772.2.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Traversal Path on PHP file",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41790",
"datePublished": "2023-11-23T14:38:45.504Z",
"dateReserved": "2023-09-01T11:54:47.539Z",
"dateUpdated": "2024-08-02T19:09:48.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41812 (GCVE-0-2023-41812)
Vulnerability from cvelistv5
Published
2023-11-23 14:58
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allowed PHP executable files to be uploaded through the file manager. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Osama Yousef \u003csu.osamayousef@gmail.com\u003e"
}
],
"datePublic": "2023-11-23T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allowed PHP executable files to be uploaded through the file manager. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allowed PHP executable files to be uploaded through the file manager. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:58:44.103Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 and v772.2."
}
],
"value": "Fixed in v774 and v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Uploading executables via the file manager",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41812",
"datePublished": "2023-11-23T14:58:44.103Z",
"dateReserved": "2023-09-01T12:10:03.869Z",
"dateUpdated": "2024-08-02T19:09:49.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4281 (GCVE-0-2010-4281)
Vulnerability from cvelistv5
Published
2010-12-02 17:00
Modified
2024-08-07 03:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/42347 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/514939/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://osvdb.org/69546 | vdb-entry, x_refsource_OSVDB | |
| http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/45112 | vdb-entry, x_refsource_BID | |
| http://seclists.org/fulldisclosure/2010/Nov/326 | mailing-list, x_refsource_FULLDISC | |
| http://www.exploit-db.com/exploits/15643 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:43:13.741Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69546",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69546"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15643"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69546",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69546"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15643"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4281",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "42347",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "69546",
"refsource": "OSVDB",
"url": "http://osvdb.org/69546"
},
{
"name": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "45112",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15643"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4281",
"datePublished": "2010-12-02T17:00:00",
"dateReserved": "2010-11-17T00:00:00",
"dateUpdated": "2024-08-07T03:43:13.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41811 (GCVE-0-2023-41811)
Vulnerability from cvelistv5
Published
2023-11-23 14:54
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the news section of the web console. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T15:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the news section of the web console. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the news section of the web console. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:54:41.510Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 and v772.2."
}
],
"value": "Fixed in v774 and v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS Via Site News Page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41811",
"datePublished": "2023-11-23T14:54:41.510Z",
"dateReserved": "2023-09-01T12:10:03.869Z",
"dateUpdated": "2024-08-02T19:09:48.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26518 (GCVE-0-2020-26518)
Vulnerability from cvelistv5
Published
2020-10-02 04:31
Modified
2024-08-04 15:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.396Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-02T04:31:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26518",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26518",
"datePublished": "2020-10-02T04:31:27",
"dateReserved": "2020-10-02T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15937 (GCVE-0-2017-15937)
Vulnerability from cvelistv5
Published
2017-10-27 20:00
Modified
2024-08-05 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX).
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:05.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page\u0027s graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-27T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15937",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page\u0027s graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d",
"refsource": "MISC",
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15937",
"datePublished": "2017-10-27T20:00:00",
"dateReserved": "2017-10-27T00:00:00",
"dateUpdated": "2024-08-05T20:13:05.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41786 (GCVE-0-2023-41786)
Vulnerability from cvelistv5
Published
2023-11-23 14:27
Modified
2024-10-15 18:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772.
References
| ▼ | URL | Tags |
|---|---|---|
| https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41786",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:15:17.804012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T18:31:01.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "772",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772."
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772."
}
],
"impacts": [
{
"capecId": "CAPEC-497",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-497 File Discovery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:27:33.933Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v773 and 772.1."
}
],
"value": "Fixed in v773 and 772.1."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Database backups availability by low-privileged users",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41786",
"datePublished": "2023-11-23T14:27:33.933Z",
"dateReserved": "2023-09-01T11:54:47.538Z",
"dateUpdated": "2024-10-15T18:31:01.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12971 (GCVE-0-2024-12971)
Vulnerability from cvelistv5
Published
2025-03-17 09:19
Modified
2025-03-17 12:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12971",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T12:32:25.865316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T12:32:34.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "777.6",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hanko van Giessen a.k.a. h00die-gr3y \u003ch00die.gr3y@gmail.com\u003e"
}
],
"datePublic": "2025-03-17T09:16:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6"
}
],
"value": "Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
},
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T09:19:31.761Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v781 and v777.8"
}
],
"value": "Fixed in v781 and v777.8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "QuickShell Authenticated Command Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2024-12971",
"datePublished": "2025-03-17T09:19:31.761Z",
"dateReserved": "2024-12-26T10:09:18.562Z",
"dateUpdated": "2025-03-17T12:32:34.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35304 (GCVE-0-2024-35304)
Vulnerability from cvelistv5
Published
2024-06-10 14:21
Modified
2024-08-02 03:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 through <777.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < 777 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pandora_fms",
"vendor": "pandorafms",
"versions": [
{
"lessThan": "777",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35304",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T15:44:44.106381Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T15:47:46.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThan": "777",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "u32i@proton.me"
}
],
"datePublic": "2024-06-10T14:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "System command injection through Netflow function\u0026nbsp;due to improper input validation, allowing attackers to execute arbitrary system commands.\u0026nbsp;This issue affects Pandora FMS: from 700 through \u0026lt;777."
}
],
"value": "System command injection through Netflow function\u00a0due to improper input validation, allowing attackers to execute arbitrary system commands.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T14:21:10.487Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed v777"
}
],
"value": "Fixed v777"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "System command injection through Netflow function",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2024-35304",
"datePublished": "2024-06-10T14:21:10.487Z",
"dateReserved": "2024-05-16T17:38:35.341Z",
"dateUpdated": "2024-08-02T03:07:46.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11221 (GCVE-0-2018-11221)
Vulnerability from cvelistv5
Published
2018-06-15 21:00
Modified
2024-08-05 08:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via include/ajax/update_manager.ajax in the update system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf | x_refsource_CONFIRM | |
| https://blog.hackercat.ninja/post/pandoras_box/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:01:52.756Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-06-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via include/ajax/update_manager.ajax in the update system."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-11221",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via include/ajax/update_manager.ajax in the update system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf",
"refsource": "CONFIRM",
"url": "https://pandorafms.com/wp-content/uploads/2018/06/whats-new-723-EN.pdf"
},
{
"name": "https://blog.hackercat.ninja/post/pandoras_box/",
"refsource": "MISC",
"url": "https://blog.hackercat.ninja/post/pandoras_box/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-11221",
"datePublished": "2018-06-15T21:00:00",
"dateReserved": "2018-05-16T00:00:00",
"dateUpdated": "2024-08-05T08:01:52.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46681 (GCVE-0-2021-46681)
Vulnerability from cvelistv5
Published
2022-08-05 15:25
Modified
2024-09-17 02:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | x_refsource_CONFIRM | |
| https://www.incibe.es/en/cve-assignment-publication/coordinated-cves | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Artica PFMS | Pandora FMS |
Version: v756 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:17:41.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Artica PFMS",
"versions": [
{
"lessThanOrEqual": "v756",
"status": "affected",
"version": "v756",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-05T15:25:33",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "ARTICA"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"
}
],
"solutions": [
{
"lang": "en",
"value": "This vulnerability has been solved in the 757 version of Pandora FMS."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Vulnerability XSS in module mass operation name field",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pandorafms.com",
"DATE_PUBLIC": "2022-02-21T11:00:00.000Z",
"ID": "CVE-2021-46681",
"STATE": "PUBLIC",
"TITLE": "Vulnerability XSS in module mass operation name field"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Pandora FMS",
"version": {
"version_data": [
{
"platform": "all",
"version_affected": "\u003c=",
"version_name": "v756",
"version_value": "v756"
}
]
}
}
]
},
"vendor_name": "Artica PFMS"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/",
"refsource": "CONFIRM",
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
},
{
"name": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves",
"refsource": "CONFIRM",
"url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"
}
]
},
"solution": [
{
"lang": "en",
"value": "This vulnerability has been solved in the 757 version of Pandora FMS."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "ARTICA",
"cveId": "CVE-2021-46681",
"datePublished": "2022-08-05T15:25:33.950122Z",
"dateReserved": "2022-02-08T00:00:00",
"dateUpdated": "2024-09-17T02:47:51.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4677 (GCVE-0-2023-4677)
Vulnerability from cvelistv5
Published
2023-11-23 14:22
Modified
2024-12-02 19:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-287 - Improper Authentication
Summary
Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS <= 772.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:06.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T19:39:32.603254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T19:39:44.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "772",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS \u0026lt;= 772."
}
],
"value": "Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS \u003c= 772."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:22:01.559Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v773 and v772.1"
}
],
"value": "Fixed in v773 and v772.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Admin Account Takeover Via Cron Log File Backups",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-4677",
"datePublished": "2023-11-23T14:22:01.559Z",
"dateReserved": "2023-08-31T15:38:14.018Z",
"dateUpdated": "2024-12-02T19:39:44.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20224 (GCVE-0-2019-20224)
Vulnerability from cvelistv5
Published
2020-01-09 15:37
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.204Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharing"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pandorafms.com/downloads/solved-pandorafms-742.mp4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-24T20:08:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharing"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pandorafms.com/downloads/solved-pandorafms-742.mp4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20224",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9",
"refsource": "MISC",
"url": "https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9"
},
{
"name": "https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharing",
"refsource": "MISC",
"url": "https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharing"
},
{
"name": "https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/",
"refsource": "MISC",
"url": "https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/"
},
{
"name": "http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.html"
},
{
"name": "https://pandorafms.com/downloads/solved-pandorafms-742.mp4",
"refsource": "MISC",
"url": "https://pandorafms.com/downloads/solved-pandorafms-742.mp4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20224",
"datePublished": "2020-01-09T15:37:58",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41789 (GCVE-0-2023-41789)
Vulnerability from cvelistv5
Published
2023-11-23 14:36
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:36:55.047Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nFixed in v774 and v772.2.\n\n\u003cbr\u003e"
}
],
"value": "\nFixed in v774 and v772.2.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauthenticated Admin Account Takeover Via XSS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41789",
"datePublished": "2023-11-23T14:36:55.047Z",
"dateReserved": "2023-09-01T11:54:47.539Z",
"dateUpdated": "2024-08-02T19:09:48.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15934 (GCVE-0-2017-15934)
Vulnerability from cvelistv5
Published
2017-10-27 20:00
Modified
2024-08-05 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:05.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-27T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15934",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d",
"refsource": "MISC",
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15934",
"datePublished": "2017-10-27T20:00:00",
"dateReserved": "2017-10-27T00:00:00",
"dateUpdated": "2024-08-05T20:13:05.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8947 (GCVE-0-2020-8947)
Vulnerability from cvelistv5
Published
2020-02-12 17:52
Modified
2024-08-04 10:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.970Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://engindemirbilek.github.io/pandorafms-rce"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-13T17:06:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://engindemirbilek.github.io/pandorafms-rce"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://engindemirbilek.github.io/pandorafms-rce",
"refsource": "MISC",
"url": "https://engindemirbilek.github.io/pandorafms-rce"
},
{
"name": "https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html",
"refsource": "MISC",
"url": "https://github.com/EnginDemirbilek/EnginDemirbilek.github.io/blob/master/pandorafms-rce.html"
},
{
"name": "http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156326/Pandora-FMS-7.0-Authenticated-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8947",
"datePublished": "2020-02-12T17:52:37",
"dateReserved": "2020-02-12T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41807 (GCVE-0-2023-41807)
Vulnerability from cvelistv5
Published
2023-11-23 14:49
Modified
2024-10-15 18:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows a user to escalate permissions on the system shell. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:15:16.296168Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T18:30:51.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows a user to escalate permissions on the system shell. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows a user to escalate permissions on the system shell. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:49:41.335Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 and v772.2."
}
],
"value": "Fixed in v774 and v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Linux Local Privilege Escalation Via GoTTY Page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41807",
"datePublished": "2023-11-23T14:49:41.335Z",
"dateReserved": "2023-09-01T12:10:03.868Z",
"dateUpdated": "2024-10-15T18:30:51.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-34075 (GCVE-0-2021-34075)
Vulnerability from cvelistv5
Published
2021-06-30 19:07
Modified
2024-08-04 00:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://k4m1ll0.com/cve-2021-34075.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:52.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/cve-2021-34075.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2021-06-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS \u003c=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-30T19:07:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/cve-2021-34075.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-34075",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Artica Pandora FMS \u003c=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://k4m1ll0.com/cve-2021-34075.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/cve-2021-34075.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-34075",
"datePublished": "2021-06-30T19:07:02",
"dateReserved": "2021-06-07T00:00:00",
"dateUpdated": "2024-08-04T00:05:52.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4282 (GCVE-0-2010-4282)
Vulnerability from cvelistv5
Published
2010-12-02 17:00
Modified
2024-08-07 03:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/69545 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/42347 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/archive/1/514939/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download | x_refsource_CONFIRM | |
| http://osvdb.org/69543 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/45112 | vdb-entry, x_refsource_BID | |
| http://osvdb.org/69544 | vdb-entry, x_refsource_OSVDB | |
| http://seclists.org/fulldisclosure/2010/Nov/326 | mailing-list, x_refsource_FULLDISC | |
| http://www.exploit-db.com/exploits/15643 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:43:14.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "69545",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69545"
},
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "69543",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69543"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "69544",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/69544"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/15643"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-10-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "69545",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69545"
},
{
"name": "42347",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "69543",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69543"
},
{
"name": "45112",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "69544",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/69544"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/15643"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4282",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "69545",
"refsource": "OSVDB",
"url": "http://osvdb.org/69545"
},
{
"name": "42347",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/42347"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"
},
{
"name": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download",
"refsource": "CONFIRM",
"url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"
},
{
"name": "69543",
"refsource": "OSVDB",
"url": "http://osvdb.org/69543"
},
{
"name": "45112",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45112"
},
{
"name": "69544",
"refsource": "OSVDB",
"url": "http://osvdb.org/69544"
},
{
"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2010/Nov/326"
},
{
"name": "15643",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/15643"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4282",
"datePublished": "2010-12-02T17:00:00",
"dateReserved": "2010-11-17T00:00:00",
"dateUpdated": "2024-08-07T03:43:14.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44090 (GCVE-0-2023-44090)
Vulnerability from cvelistv5
Published
2024-03-19 16:26
Modified
2024-08-02 19:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. This issue affects Pandora FMS: from 700 through <776.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-19T17:26:33.494752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:19:17.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:12.017Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "\u003c776",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "dabdurakhmanova@ptsecurity.com"
}
],
"datePublic": "2024-03-19T17:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. \u003cspan style=\"background-color: var(--darkreader-bg--wht);\"\u003eThis issue affects Pandora FMS: from 700 through \u0026lt;776.\u003c/span\u003e\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "\nImproper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. This issue affects Pandora FMS: from 700 through \u003c776.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-19T16:26:12.225Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v776."
}
],
"value": "Fixed in v776."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "UnautH SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-44090",
"datePublished": "2024-03-19T16:26:12.225Z",
"dateReserved": "2023-09-25T08:33:09.669Z",
"dateUpdated": "2024-08-02T19:52:12.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7935 (GCVE-0-2020-7935)
Vulnerability from cvelistv5
Published
2020-03-23 15:08
Modified
2024-08-04 09:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://k4m1ll0.com/cve-2020-7935.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:24.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/cve-2020-7935.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-24T13:18:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/cve-2020-7935.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-7935",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://k4m1ll0.com/cve-2020-7935.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/cve-2020-7935.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-7935",
"datePublished": "2020-03-23T15:08:25",
"dateReserved": "2020-01-23T00:00:00",
"dateUpdated": "2024-08-04T09:48:24.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15936 (GCVE-0-2017-15936)
Vulnerability from cvelistv5
Published
2017-10-27 20:00
Modified
2024-08-05 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:13:05.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-27T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15936",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d",
"refsource": "MISC",
"url": "https://medium.com/stolabs/security-issue-on-pandora-fms-enterprise-be630059a72d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15936",
"datePublished": "2017-10-27T20:00:00",
"dateReserved": "2017-10-27T00:00:00",
"dateUpdated": "2024-08-05T20:13:05.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41788 (GCVE-0-2023-41788)
Vulnerability from cvelistv5
Published
2023-11-23 14:33
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:33:44.933Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 and v772.2."
}
],
"value": "Fixed in v774 and v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution via File Uploader",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41788",
"datePublished": "2023-11-23T14:33:44.933Z",
"dateReserved": "2023-09-01T11:54:47.538Z",
"dateUpdated": "2024-08-02T19:09:48.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41792 (GCVE-0-2023-41792)
Vulnerability from cvelistv5
Published
2023-11-23 14:45
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the SNMP Trap Editor. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the SNMP Trap Editor. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the SNMP Trap Editor. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:45:33.842Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 and v772.2."
}
],
"value": "Fixed in v774 and v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Lack of Authorization and Stored XSS Via SNMP Trap Editor Page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41792",
"datePublished": "2023-11-23T14:45:33.842Z",
"dateReserved": "2023-09-01T11:54:47.539Z",
"dateUpdated": "2024-08-02T19:09:48.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12992 (GCVE-0-2024-12992)
Vulnerability from cvelistv5
Published
2025-03-17 09:21
Modified
2025-03-17 12:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Summary
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE.
This issue affects Pandora FMS from 700 to 777.6
.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 768 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T12:31:51.304023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T12:32:02.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "780",
"status": "affected",
"version": "768",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hanko van Giessen a.k.a. h00die-gr3y \u003ch00die.gr3y@gmail.com\u003e"
}
],
"datePublic": "2025-03-17T09:19:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. \n\nThis issue affects Pandora FMS from 700 to 777.6\n\n."
}
],
"value": "Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. \n\nThis issue affects Pandora FMS from 700 to 777.6\n\n."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
},
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:M/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T09:21:39.002Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v781 and v777.8\n\n\u003cbr\u003e"
}
],
"value": "Fixed in v781 and v777.8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution leads to Command Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2024-12992",
"datePublished": "2025-03-17T09:21:39.002Z",
"dateReserved": "2024-12-27T10:50:03.410Z",
"dateUpdated": "2025-03-17T12:32:02.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36697 (GCVE-0-2021-36697)
Vulnerability from cvelistv5
Published
2021-11-03 11:33
Modified
2024-08-04 01:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be executed with an HTTP request.
References
| ▼ | URL | Tags |
|---|---|---|
| http://artica.com | x_refsource_MISC | |
| http://pandora.com | x_refsource_MISC | |
| https://k4m1ll0.com/chained_exploit_htaccess.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.056Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://artica.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pandora.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "With an admin account, the .htaccess file in Artica Pandora FMS \u003c=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new \"file type\" and the code can be executed with an HTTP request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-03T11:33:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://artica.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pandora.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-36697",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "With an admin account, the .htaccess file in Artica Pandora FMS \u003c=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new \"file type\" and the code can be executed with an HTTP request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://artica.com",
"refsource": "MISC",
"url": "http://artica.com"
},
{
"name": "http://pandora.com",
"refsource": "MISC",
"url": "http://pandora.com"
},
{
"name": "https://k4m1ll0.com/chained_exploit_htaccess.html",
"refsource": "MISC",
"url": "https://k4m1ll0.com/chained_exploit_htaccess.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-36697",
"datePublished": "2021-11-03T11:33:57",
"dateReserved": "2021-07-12T00:00:00",
"dateUpdated": "2024-08-04T01:01:59.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41808 (GCVE-0-2023-41808)
Vulnerability from cvelistv5
Published
2023-11-23 14:51
Modified
2024-12-02 19:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows an unauthorised user to escalate and read sensitive files as if they were root. This issue affects Pandora FMS: from 700 through 773.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.015Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-02T19:36:08.825730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-02T19:36:21.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "773",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows an unauthorised user to escalate and read sensitive files as if they were root. This issue affects Pandora FMS: from 700 through 773."
}
],
"value": "Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows an unauthorised user to escalate and read sensitive files as if they were root. This issue affects Pandora FMS: from 700 through 773."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:51:17.223Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v774 and v772.2."
}
],
"value": "Fixed in v774 and v772.2."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Arbitrary File Read As Root Via GoTTY Page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41808",
"datePublished": "2023-11-23T14:51:17.223Z",
"dateReserved": "2023-09-01T12:10:03.868Z",
"dateUpdated": "2024-12-02T19:36:21.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41787 (GCVE-0-2023-41787)
Vulnerability from cvelistv5
Published
2023-11-23 14:31
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-427 - Uncontrolled Search Path Element
Summary
Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows access to files with sensitive information. This issue affects Pandora FMS: from 700 through 772.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThanOrEqual": "772",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Oliver Brooks \u003collie.brooks@nccgroup.com\u003e"
}
],
"datePublic": "2023-11-23T14:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows access to files with sensitive information. This issue affects Pandora FMS: from 700 through 772."
}
],
"value": "Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows access to files with sensitive information. This issue affects Pandora FMS: from 700 through 772."
}
],
"impacts": [
{
"capecId": "CAPEC-38",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-23T14:31:41.618Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v773 and v772.1."
}
],
"value": "Fixed in v773 and v772.1."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Arbitrary File Read",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2023-41787",
"datePublished": "2023-11-23T14:31:41.618Z",
"dateReserved": "2023-09-01T11:54:47.538Z",
"dateUpdated": "2024-08-02T19:09:48.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35305 (GCVE-0-2024-35305)
Vulnerability from cvelistv5
Published
2024-06-10 14:28
Modified
2024-08-02 03:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777.
References
| ▼ | URL | Tags |
|---|---|---|
| https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pandora FMS | Pandora FMS |
Version: 700 < 777 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pandora_fms",
"vendor": "artica",
"versions": [
{
"lessThan": "777",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T14:22:59.082085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T14:29:45.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"all"
],
"product": "Pandora FMS",
"vendor": "Pandora FMS",
"versions": [
{
"lessThan": "777",
"status": "affected",
"version": "700",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksey Solovev (Positive Technologies)"
}
],
"datePublic": "2024-06-10T14:21:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header.\u0026nbsp;This issue affects Pandora FMS: from 700 through \u0026lt;777."
}
],
"value": "Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header.\u00a0This issue affects Pandora FMS: from 700 through \u003c777."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/RE:L/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T14:28:18.393Z",
"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"shortName": "PandoraFMS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fixed in v777"
}
],
"value": "Fixed in v777"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unauth Time-Based SQL Injection via API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c",
"assignerShortName": "PandoraFMS",
"cveId": "CVE-2024-35305",
"datePublished": "2024-06-10T14:28:18.393Z",
"dateReserved": "2024-05-16T17:38:35.342Z",
"dateUpdated": "2024-08-02T03:07:46.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}