CVE-2022-0507 – Vulnerability: Authenticated SQL Injection in API
https://notcve.org/view.php?id=CVE-2022-0507
Found a potential security vulnerability inside the Pandora API. Affected Pandora FMS version range: all versions of NG version, up to OUM 759. This vulnerability could allow an attacker with authenticated IP to inject SQL. Se ha encontrado una potencial vulnerabilidad de seguridad dentro de la API de Pandora. Rango de versiones de Pandora FMS afectadas: todas las versiones de NG, hasta OUM 759. • https://khoori.org/posts/cve-2022-0507 https://pandorafms.com/en/security/common-vulnerabilities-and-exposures https://www.incibe.es/en/cve-assignment-publication/coordinated-cves • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-35501 – Pandora FMS 7.54 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-35501
PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite un ataque de tipo XSS almacenado al colocar una carga útil en el campo name de una consola visual. Cuando un usuario o un administrador visita la consola, la carga útil de tipo XSS será ejecutada • http://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-34074
https://notcve.org/view.php?id=CVE-2021-34074
PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. To bypass the built-in protection, a relative path is used in the requests. PandoraFMS versiones anteriores a 7.54 incluyéndola, permite una carga arbitraria de ficheros, conllevando a una ejecución de comandos remota por medio del Administrador de Archivos. Para omitir la protección incorporada, es usada una ruta relativa en las peticiones • https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-11749 – PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-11749
Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2. Pandora FMS versiones 7.0 NG anteriores a 746 incluyéndola, sufre de múltiples vulnerabilidades de tipo XSS en diferentes vistas del navegador. Un administrador de red que escanea un dispositivo SNMP puede desencadenar un ataque de tipo Cross Site Scripting (XSS), que puede ejecutar código arbitrario para permitir una ejecución de código remota como root o apache2 • https://www.exploit-db.com/exploits/48707 https://medium.com/%40tehwinsam/multiple-xss-on-pandorafms-7-0-ng-744-64b244b8523c https://packetstormsecurity.com/files/158389/Pandora-FMS-7.0-NG-746-Script-Insertion-Code-Execution.htmlPoC https://pandorafms.com/downloads/whats-new-747-EN.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-13851 – Pandora FMS 7.0 NG 7XX Remote Command Execution
https://notcve.org/view.php?id=CVE-2020-13851
Artica Pandora FMS 7.44 allows remote command execution via the events feature. Artica Pandora FMS versión 7.44, permite una ejecución de comandos remota por medio de la funcionalidad events • http://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html https://www.coresecurity.com/advisories https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •