CVE-2023-4677 – Unauthenticated Admin Account Takeover Via Cron Log File Backups
https://notcve.org/view.php?id=CVE-2023-4677
Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS <= 772. Los archivos de copia de seguridad del registro Cron contienen ID de sesión de administrador. • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-287: Improper Authentication CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-0828 – Stored Cross Site Scripting in syslog section
https://notcve.org/view.php?id=CVE-2023-0828
Cross-site Scripting (XSS) vulnerability in Syslog Section of Pandora FMS allows attacker to cause that users cookie value will be transferred to the attackers users server. This issue affects Pandora FMS v767 version and prior versions on all platforms. Una vulnerabilidad de Cross-site Scripting (XSS) en Syslog Section de Pandora FMS permite a un atacante hacer que el valor de la cookie del usuario se transfiera al servidor del usuario atacante. Este problema afecta a Pandora FMS versión v767 y versiones anteriores en todas las plataformas. • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-24518 – Disabling the administrator's account through cross-site request forgery
https://notcve.org/view.php?id=CVE-2023-24518
A Cross-site Request Forgery (CSRF) vulnerability in Pandora FMS allows an attacker to force authenticated users to send a request to a web application they are currently authenticated against. This issue affects Pandora FMS version 767 and earlier versions on all platforms. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en Pandora FMS permite a un atacante obligar a los usuarios autenticados a enviar una solicitud a una aplicación web en la que están actualmente autenticados. Este problema afecta a Pandora FMS versión 767 y versiones anteriores en todas las plataformas. • https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-24517 – Remote Code Execution via Unrestricted File Upload
https://notcve.org/view.php?id=CVE-2023-24517
Unrestricted Upload of File with Dangerous Type vulnerability in the Pandora FMS File Manager component, allows an attacker to make make use of this issue ( unrestricted file upload ) to execute arbitrary system commands. This issue affects Pandora FMS v767 version and prior versions on all platforms. Vulnerabilidad de subida no restringida de ficheros de tipo peligroso en el componente "File Manager" de Pandora FMS, podría permite a un atacante hacer uso de este problema (subida no restringida de ficheros) para ejecutar comandos arbitrarios del sistema. Este problema afecta a la versión Pandora FMS v767 y anteriores en todas las plataformas. • https://github.com/Argonx21/CVE-2023-24517 https://gist.github.com/Argonx21/9ab62f6e5d8bc6d39b8a338426af121e https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-24516 – Stored Cross Site Scripting - Special Days Module
https://notcve.org/view.php?id=CVE-2023-24516
Cross-site Scripting (XSS) vulnerability in the Pandora FMS Special Days component allows an attacker to use it to steal the session cookie value of admin users easily with little user interaction. This issue affects Pandora FMS v767 version and prior versions on all platforms. Una vulnerabilidad de Cross-site Scripting (XSS) en el componente Pandora FMS Special Days FMS permite a un atacante utilizarlo para robar el valor de la cookie de sesión de los usuarios administradores fácilmente con poca interacción del usuario. Este problema afecta a la versión v767 de Pandora FMS y versiones anteriores en todas las plataformas. • https://gist.github.com/Argonx21/5ef4d123c975285b3a42835c8e81603a https://pandorafms.com/en/security/common-vulnerabilities-and-exposures • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •