CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41790 – Traversal Path on PHP file
https://notcve.org/view.php?id=CVE-2023-41790
23 Nov 2023 — Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows to access the server configuration file and to compromise the database. This issue affects Pandora FMS: from 700 through 773. Vulnerabilidad no controlada del elemento de ruta de búsqueda en Pandora FMS permite aprovechar/manipular rutas de búsqueda de archivos de configuración. Esta vulnerabilidad permite acceder al archivo de configuración del servi... • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41789 – Unauthenticated Admin Account Takeover Via XSS
https://notcve.org/view.php?id=CVE-2023-41789
23 Nov 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773. La vulnerabilidad de Neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en Pandora FMS permite en todos los casos Cross-Site Sc... • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41788 – Remote Code Execution via File Uploader
https://notcve.org/view.php?id=CVE-2023-41788
23 Nov 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in Pandora FMS on all allows Accessing Functionality Not Properly Constrained by ACLs. This vulnerability allows attackers to execute code via PHP file uploads. This issue affects Pandora FMS: from 700 through 773. La carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Pandora FMS permite acceder a funcionalidades no correctamente restringidas por ACL. Esta vulnerabilidad permite a los atacantes ejecutar código mediante la... • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41787 – Arbitrary File Read
https://notcve.org/view.php?id=CVE-2023-41787
23 Nov 2023 — Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows access to files with sensitive information. This issue affects Pandora FMS: from 700 through 772. Vulnerabilidad no controlada del elemento de ruta de búsqueda en Pandora FMS permite aprovechar/manipular rutas de búsqueda de archivos de configuración. Esta vulnerabilidad permite el acceso a archivos con información sensible. • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-427: Uncontrolled Search Path Element •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41786 – Database backups availability by low-privileged users
https://notcve.org/view.php?id=CVE-2023-41786
23 Nov 2023 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772. Vulnerabilidad de exposición de información sensible a un actor no autorizado en Pandora FMS en todos los casos que permite File Discovery. Esta vulnerabilidad permite a los usuarios con privilegios bajos descargar copias de seguridad de bases de datos. • https://https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4677 – Unauthenticated Admin Account Takeover Via Cron Log File Backups
https://notcve.org/view.php?id=CVE-2023-4677
23 Nov 2023 — Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS <= 772. Los archivos de copia de seguridad del registro Cron contienen ID de sesión de administrador. • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-287: Improper Authentication CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0828 – Stored Cross Site Scripting in syslog section
https://notcve.org/view.php?id=CVE-2023-0828
03 Oct 2023 — Cross-site Scripting (XSS) vulnerability in Syslog Section of Pandora FMS allows attacker to cause that users cookie value will be transferred to the attackers users server. This issue affects Pandora FMS v767 version and prior versions on all platforms. Una vulnerabilidad de Cross-site Scripting (XSS) en Syslog Section de Pandora FMS permite a un atacante hacer que el valor de la cookie del usuario se transfiera al servidor del usuario atacante. Este problema afecta a Pandora FMS versión v767 y versiones a... • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24518 – Disabling the administrator's account through cross-site request forgery
https://notcve.org/view.php?id=CVE-2023-24518
03 Oct 2023 — A Cross-site Request Forgery (CSRF) vulnerability in Pandora FMS allows an attacker to force authenticated users to send a request to a web application they are currently authenticated against. This issue affects Pandora FMS version 767 and earlier versions on all platforms. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Pandora FMS permite a un atacante obligar a los usuarios autenticados a enviar una solicitud a una aplicación web en la que están actualmente autenticados. Este problema afecta ... • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-24517 – Remote Code Execution via Unrestricted File Upload
https://notcve.org/view.php?id=CVE-2023-24517
22 Aug 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in the Pandora FMS File Manager component, allows an attacker to make make use of this issue ( unrestricted file upload ) to execute arbitrary system commands. This issue affects Pandora FMS v767 version and prior versions on all platforms. Vulnerabilidad de subida no restringida de ficheros de tipo peligroso en el componente "File Manager" de Pandora FMS, podría permite a un atacante hacer uso de este problema (subida no restringida de ficheros)... • https://github.com/Argonx21/CVE-2023-24517 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24516 – Stored Cross Site Scripting - Special Days Module
https://notcve.org/view.php?id=CVE-2023-24516
22 Aug 2023 — Cross-site Scripting (XSS) vulnerability in the Pandora FMS Special Days component allows an attacker to use it to steal the session cookie value of admin users easily with little user interaction. This issue affects Pandora FMS v767 version and prior versions on all platforms. Una vulnerabilidad de Cross-site Scripting (XSS) en el componente Pandora FMS Special Days FMS permite a un atacante utilizarlo para robar el valor de la cookie de sesión de los usuarios administradores fácilmente con poca interacció... • https://gist.github.com/Argonx21/5ef4d123c975285b3a42835c8e81603a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •