CVE-2021-34075
https://notcve.org/view.php?id=CVE-2021-34075
In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access. En Artica Pandora FMS versiones anteriores a 754 incluyéndola, en el componente File Manager, presenta información confidencial expuesta en el lado del cliente a la que los atacantes pueden acceder • https://k4m1ll0.com/cve-2021-34075.html • CWE-522: Insufficiently Protected Credentials •
CVE-2021-32098
https://notcve.org/view.php?id=CVE-2021-32098
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Artica Pandora FMS 742, permite a atacantes no autenticados llevar a cabo una deserialización Phar • https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained https://pandorafms.com/blog/whats-new-in-pandora-fms-743 https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack • CWE-502: Deserialization of Untrusted Data •
CVE-2021-32099
https://notcve.org/view.php?id=CVE-2021-32099
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass. Una vulnerabilidad de inyección SQL en el componente pandora_console de Artica Pandora FMS, permite a un atacante no autenticado actualizar su sesión sin privilegios por medio del parámetro session_id en el archivo /include/chart_generator.php, conllevando a un desvío de inicio de sesión • https://github.com/ibnuuby/CVE-2021-32099 https://github.com/zjicmDarkWing/CVE-2021-32099 https://github.com/akr3ch/CVE-2021-32099 https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained https://pandorafms.com/blog/whats-new-in-pandora-fms-743 https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-32100
https://notcve.org/view.php?id=CVE-2021-32100
A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user. Se presenta vulnerabilidad de inclusión remota de archivos en Artica Pandora FMS 742, explotable por el usuario menos privilegiado • https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained https://pandorafms.com/blog/whats-new-in-pandora-fms-743 https://portswigger.net/daily-swig/multiple-vulnerabilities-in-pandora-fms-could-trigger-remote-execution-attack •
CVE-2020-26518
https://notcve.org/view.php?id=CVE-2020-26518
Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/include/chart_generator.php session_id parameter. Artica Pandora FMS versiones anteriores a 743, permite a atacantes no autenticados conducir ataques de inyección SQL por medio del parámetro session_id del archivo pandora_console/include/chart_generator.php • https://blog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •