CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36698
https://notcve.org/view.php?id=CVE-2021-36698
03 Nov 2021 — Pandora FMS through 755 allows XSS via a new Event Filter with a crafted name. Pandora FMS versiones hasta 755, permite un ataque de tipo XSS por medio de un nuevo Filtro de Eventos con un nombre diseñado • http://artica.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34075
https://notcve.org/view.php?id=CVE-2021-34075
30 Jun 2021 — In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access. En Artica Pandora FMS versiones anteriores a 754 incluyéndola, en el componente File Manager, presenta información confidencial expuesta en el lado del cliente a la que los atacantes pueden acceder • https://k4m1ll0.com/cve-2021-34075.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2021-35501 – Pandora FMS 7.54 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-35501
25 Jun 2021 — PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite un ataque de tipo XSS almacenado al colocar una carga útil en el campo name de una consola visual. Cuando un usuario o un administrador visita la consola, la carga útil de tipo XSS será ejecutada • https://packetstorm.news/files/id/163466 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2021-34074
https://notcve.org/view.php?id=CVE-2021-34074
25 Jun 2021 — PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. To bypass the built-in protection, a relative path is used in the requests. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite una carga arbitraria de ficheros, conllevando a una ejecución de comandos remota por medio del Administrador de Archivos. Para omitir la protección incorporada, es usada una ruta relativa en las peticiones • https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2020-26518
https://notcve.org/view.php?id=CVE-2020-26518
02 Oct 2020 — Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter. Artica Pandora FMS versiones anteriores a 743, permite a atacantes no autenticados conducir ataques de inyección SQL por medio del parámetro session_id del archivo pandora_console/include/chart_generator.php • https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 5%CPEs: 1EXPL: 2CVE-2020-11749 – PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-11749
13 Jul 2020 — Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2. Pandora FMS versiones 7.0 NG anteriores a 746 incluyéndola, sufre de múltiples vulnerabilidades de tipo XSS en diferentes vistas del navegador. Un administrador de red que escanea un dispositivo SNMP puede desencadenar un ataque de tipo Cross Site... • https://www.exploit-db.com/exploits/48707 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8511
https://notcve.org/view.php?id=CVE-2020-8511
23 Mar 2020 — In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500. En Artica Pandora FMS versiones hasta 7.42, usuarios de Web Admin pueden ejecutar código arbitrario cargando un archivo .php por medio del componente File Repository, un problema diferente de CVE-2020-7935 y CVE-2020-8500. • https://k4m1ll0.com/cve-2020-8511.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7935
https://notcve.org/view.php?id=CVE-2020-7935
23 Mar 2020 — Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access. Artica Pandora FMS versiones hasta 7.42, e... • https://k4m1ll0.com/cve-2020-7935.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 27%CPEs: 1EXPL: 1CVE-2020-8497
https://notcve.org/view.php?id=CVE-2020-8497
23 Mar 2020 — In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps. En Artica Pandora FMS versiones hasta 7.42, un atacante no autenticado puede leer el historial de chat. El archivo está en formato JSON y contiene nombres de usuario, los ID de usuario, mensajes privados y marcas de tiempo. • https://k4m1ll0.com/cve-2020-8497.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8500
https://notcve.org/view.php?id=CVE-2020-8500
02 Mar 2020 — In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality ** EN DISPUTA ** En Artica Pandora FMS 7.42, los usuarios de Web Admin pueden ejecutar código arbitrario cargando un archivo .php a través del componente Updater o Extension. NOTA: El proveedor informa que esta es la funcionalidad prevista. • https://k4m1ll0.com/cve-2020-8500.html • CWE-434: Unrestricted Upload of File with Dangerous Type •