Pandorafms: >> Pandora Fms >> 7.0_ng_761 Security Vulnerabilities
There is a Path Traversal that leads to a Local File Inclusion in Pandora FMS v764. A function is called to check that the parameter that the user has inserted does not contain malicious characteres, but this check is insufficient. An attacker could insert an absolute path to overcome the heck, thus being able to incluse any PHP file that resides on the disk. The exploitation of this vulnerability could lead to a remote code execution.
CVSS Score
5.9
EPSS Score
0.007
Published
2023-01-27
There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map, including on purpose the name of an XSS payload. Once created, if a user with admin privileges clicks on the edited network maps, the XSS payload will be executed. The exploitation of this vulnerability could allow an atacker to steal the value of the admin userĀ“s cookie.
CVSS Score
5.2
EPSS Score
0.002
Published
2023-01-27
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the event filter name field.
CVSS Score
4.0
EPSS Score
0.001
Published
2022-08-05
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the service name field.
CVSS Score
4.0
EPSS Score
0.001
Published
2022-08-05
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via service elements.
CVSS Score
4.0
EPSS Score
0.001
Published
2022-08-05
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the module form name field.
CVSS Score
4.0
EPSS Score
0.001
Published
2022-08-05
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the transactional maps name field.
CVSS Score
4.0
EPSS Score
0.001
Published
2022-08-05
In Pandora FMS v7.0NG.761 and below, in the agent creation section, the alias parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.
CVSS Score
3.5
EPSS Score
0.003
Published
2022-07-25
In Pandora FMS v7.0NG.761 and below, in the file manager section, the dirname parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.
CVSS Score
3.5
EPSS Score
0.003
Published
2022-07-25
Found a potential security vulnerability inside the Pandora API. Affected Pandora FMS version range: all versions of NG version, up to OUM 759. This vulnerability could allow an attacker with authenticated IP to inject SQL.
CVSS Score
5.8
EPSS Score
0.001
Published
2022-03-10