7.5
CVE-2010-4281
- EPSS 6.71%
- Published 02.12.2010 17:15:00
- Last modified 11.04.2025 00:51:21
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.
Data is provided by the National Vulnerability Database (NVD)
Artica ≫ Pandora Fms Version <= 3.1
Artica ≫ Pandora Fms Version1.2
Artica ≫ Pandora Fms Version1.3
Artica ≫ Pandora Fms Version1.3 Updatebeta
Artica ≫ Pandora Fms Version1.3 Updatebeta1
Artica ≫ Pandora Fms Version1.3 Updatebeta2
Artica ≫ Pandora Fms Version1.3 Updatebeta3
Artica ≫ Pandora Fms Version1.3.1
Artica ≫ Pandora Fms Version2.0
Artica ≫ Pandora Fms Version2.0 Updatebeta
Artica ≫ Pandora Fms Version2.1
Artica ≫ Pandora Fms Version2.1.1
Artica ≫ Pandora Fms Version3.0
Artica ≫ Pandora Fms Version3.0 Updaterc1
Artica ≫ Pandora Fms Version3.0 Updaterc2
Artica ≫ Pandora Fms Version3.1 Updaterc1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 6.71% | 0.908 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.