CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19968
https://notcve.org/view.php?id=CVE-2019-19968
PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting the Agent Management, Report Builder, and Graph Builder components. An authenticated user can inject dangerous content into a data store that is later read and included in dynamic content. PandoraFMS versión 742, sufre de múltiples vulnerabilidades de tipo XSS, afectando a los componentes Agent Management, Report Builder, y Graph Builder. Un usuario autenticado puede inyectar contenido peligroso en un almacén de datos que luego es leído e incluido en un contenido dinámico. • https://k4m1ll0.com/cve-2019-19968.html https://pandorafms.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20050
https://notcve.org/view.php?id=CVE-2019-20050
Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a "tricky" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type. Pandora FMS anterior o igual a la versión 7.42, sufre de una vulnerabilidad de ejecución de código remota. • https://k4m1ll0.com/cve-2019-20050.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 14%CPEs: 1EXPL: 5CVE-2019-20224 – Pandora 7.0NG Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-20224
netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742. netflow_get_stats en functions_netflow.php en Pandora FMS 7.0NG permite a los usuarios identificados remotos ejecutar comandos arbitrarios del sistema operativo a través de metacaracteres de shell en el parámetro ip_src en una solicitud index.php operation / netflow / nf_live_view. Este problema se ha solucionado en Pandora FMS 7.0 NG 742. Pandora version 7.0NG suffers from a remote code execution vulnerability. • https://github.com/mhaskar/CVE-2019-20224 http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.html https://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharing https://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9 https://pandorafms.com/downloads/solved-pandorafms-742.mp4 https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19681
https://notcve.org/view.php?id=CVE-2019-19681
Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability as it is described is not in fact an actual vulnerability. They state that to be able to create alert commands, you need to have admin rights. They also state that the extended ACL system can disable access to specific sections of the configuration, such as defining new alert commands ** EN DISPUTA ** Pandora FMS 7.x sufre de vulnerabilidad de ejecución remota de código. • https://k4m1ll0.com/cve-2019-19681.html https://medium.com/%40k4m1ll0/remote-code-execution-vulnerability-in-pandorafms-7-x-8ce55d4b1d5a https://pandorafms.com/blog/pandora-fms-vulnerability • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13035
https://notcve.org/view.php?id=CVE-2019-13035
Artica Pandora FMS 7.0 NG before 735 suffers from local privilege escalation due to improper permissions on C:\PandoraFMS and its sub-folders, allowing standard users to create new files. Moreover, the Apache service httpd.exe will try to execute cmd.exe from C:\PandoraFMS (the current directory) as NT AUTHORITY\SYSTEM upon web requests to the portal. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. Artica Pandora FMS versión 7.0 NG anterior a 735, sufre de una escalada de privilegios local debido a permisos inapropiados en C:\PandoraFMS y sus subcarpetas, permitiendo a usuarios estándar crear nuevos archivos. Adicionalmente, el servicio de Apache httpd.exe intentará ejecutar cmd.exe desde C:\PandoraFMS (el directorio actual) como NT AUTHORITY\SYSTEM sobre las solicitudes web hacia el portal. • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-008.md •