CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36698
https://notcve.org/view.php?id=CVE-2021-36698
Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name. Pandora FMS versiones hasta 755, permite un ataque de tipo XSS por medio de un nuevo Filtro de Eventos con un nombre diseñado • http://artica.com http://pandora.com https://k4m1ll0.com/chained_exploit_htaccess.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34075
https://notcve.org/view.php?id=CVE-2021-34075
In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access. En Artica Pandora FMS versiones anteriores a 754 incluyéndola, en el componente File Manager, presenta información confidencial expuesta en el lado del cliente a la que los atacantes pueden acceder • https://k4m1ll0.com/cve-2021-34075.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-35501 – Pandora FMS 7.54 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-35501
PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite un ataque de tipo XSS almacenado al colocar una carga útil en el campo name de una consola visual. Cuando un usuario o un administrador visita la consola, la carga útil de tipo XSS será ejecutada • http://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34074
https://notcve.org/view.php?id=CVE-2021-34074
PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. To bypass the built-in protection, a relative path is used in the requests. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite una carga arbitraria de ficheros, conllevando a una ejecución de comandos remota por medio del Administrador de Archivos. Para omitir la protección incorporada, es usada una ruta relativa en las peticiones • https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 2CVE-2021-32098
https://notcve.org/view.php?id=CVE-2021-32098
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Artica Pandora FMS 742, permite a atacantes no autenticados llevar a cabo una deserialización Phar • https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained https://pandorafms.com/blog/whats-new-in-pandora-fms-743 https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack • CWE-502: Deserialization of Untrusted Data •