CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34075
https://notcve.org/view.php?id=CVE-2021-34075
In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access. En Artica Pandora FMS versiones anteriores a 754 incluyéndola, en el componente File Manager, presenta información confidencial expuesta en el lado del cliente a la que los atacantes pueden acceder • https://k4m1ll0.com/cve-2021-34075.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-35501 – Pandora FMS 7.54 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-35501
PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite un ataque de tipo XSS almacenado al colocar una carga útil en el campo name de una consola visual. Cuando un usuario o un administrador visita la consola, la carga útil de tipo XSS será ejecutada • http://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2021-34074
https://notcve.org/view.php?id=CVE-2021-34074
PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. To bypass the built-in protection, a relative path is used in the requests. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite una carga arbitraria de ficheros, conllevando a una ejecución de comandos remota por medio del Administrador de Archivos. Para omitir la protección incorporada, es usada una ruta relativa en las peticiones • https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 2CVE-2021-32098
https://notcve.org/view.php?id=CVE-2021-32098
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Artica Pandora FMS 742, permite a atacantes no autenticados llevar a cabo una deserialización Phar • https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained https://pandorafms.com/blog/whats-new-in-pandora-fms-743 https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 5CVE-2021-32099
https://notcve.org/view.php?id=CVE-2021-32099
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass. Una vulnerabilidad de inyección SQL en el componente pandora_console de Artica Pandora FMS, permite a un atacante no autenticado actualizar su sesión sin privilegios por medio del parámetro session_id en el archivo /include/chart_generator.php, conllevando a un desvío de inicio de sesión • https://github.com/ibnuuby/CVE-2021-32099 https://github.com/zjicmDarkWing/CVE-2021-32099 https://github.com/akr3ch/CVE-2021-32099 https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained https://pandorafms.com/blog/whats-new-in-pandora-fms-743 https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •