CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26308 – Improper Access Control in Configuration (Credential store)
https://notcve.org/view.php?id=CVE-2022-26308
01 Aug 2022 — Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role. Pandora FMS versiones v7.0NG.760 y anteriores, permiten un control de acceso inapropiado en la Configuración (Almacén de credenciales) donde un usuario con el rol de Operador (Escritura) podría crear, borrar, visualizar claves existentes que están fuera del rol previsto • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1648 – Relative Path Traversal to Remote Code Execution in File Manager
https://notcve.org/view.php?id=CVE-2022-1648
26 Jul 2022 — Pandora FMS v7.0NG.760 and below allows a relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to a Remote Code Execution with running application privilege. Pandora FMS versión v7.0NG.760 y anteriores, permite un salto de ruta relativo en el Administrador de Archivos en el que un usuario con privilegios podría cargar un archivo .php fuera del directorio de imágenes p... • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2059 – Stored Cross Site-Scripting in Agent Manager
https://notcve.org/view.php?id=CVE-2022-2059
25 Jul 2022 — In Pandora FMS v7.0NG.761 and below, in the agent creation section, the alias parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system. En Pandora FMS versiones v7.0NG.761 y anteriores, en la sección de creación de agentes, el parámetro alias es vulnerable a un ataque de tipo Cross Site-Scripting Almacenado. Esta vulnerabilidad puede ser explotada por un atacante con privilegios de administrador registrado... • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2032 – Stored Cross Site-Scripting in File Manager
https://notcve.org/view.php?id=CVE-2022-2032
25 Jul 2022 — In Pandora FMS v7.0NG.761 and below, in the file manager section, the dirname parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system. En Pandora FMS versiones v7.0NG.761 y anteriores, en la sección de administración de ficheros, el parámetro dirname es vulnerable a un Stored Cross Site-Scripting. Esta vulnerabilidad puede ser explotada por un atacante privilegiado de administrador registrado en el sistem... • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0507 – Vulnerability: Authenticated SQL Injection in API
https://notcve.org/view.php?id=CVE-2022-0507
09 Mar 2022 — Found a potential security vulnerability inside the Pandora API. Affected Pandora FMS version range: all versions of NG version, up to OUM 759. This vulnerability could allow an attacker with authenticated IP to inject SQL. Se ha encontrado una potencial vulnerabilidad de seguridad dentro de la API de Pandora. Rango de versiones de Pandora FMS afectadas: todas las versiones de NG, hasta OUM 759. • https://khoori.org/posts/cve-2022-0507 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36697
https://notcve.org/view.php?id=CVE-2021-36697
03 Nov 2021 — With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be executed with an HTTP request. Con una cuenta de administrador, el fichero .htaccess en Artica Pandora FMS versiones anteriores a 755 incluyéndola, puede ser sobrescrito con el componente File Manager. El nuevo fichero .htaccess contiene u... • http://artica.com • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36698
https://notcve.org/view.php?id=CVE-2021-36698
03 Nov 2021 — Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name. Pandora FMS versiones hasta 755, permite un ataque de tipo XSS por medio de un nuevo Filtro de Eventos con un nombre diseñado • http://artica.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34075
https://notcve.org/view.php?id=CVE-2021-34075
30 Jun 2021 — In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access. En Artica Pandora FMS versiones anteriores a 754 incluyéndola, en el componente File Manager, presenta información confidencial expuesta en el lado del cliente a la que los atacantes pueden acceder • https://k4m1ll0.com/cve-2021-34075.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2021-35501 – Pandora FMS 7.54 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-35501
25 Jun 2021 — PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite un ataque de tipo XSS almacenado al colocar una carga útil en el campo name de una consola visual. Cuando un usuario o un administrador visita la consola, la carga útil de tipo XSS será ejecutada • https://packetstorm.news/files/id/163466 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2021-34074
https://notcve.org/view.php?id=CVE-2021-34074
25 Jun 2021 — PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. To bypass the built-in protection, a relative path is used in the requests. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite una carga arbitraria de ficheros, conllevando a una ejecución de comandos remota por medio del Administrador de Archivos. Para omitir la protección incorporada, es usada una ruta relativa en las peticiones • https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html • CWE-434: Unrestricted Upload of File with Dangerous Type •