CVE-2022-43980

EPSS 0.2%
Published 27.01.2023 22:15:08
Last modified 21.11.2024 07:27:28
Source cve-coordination@incibe.es
Teams watchlist Login
Open Login

There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map, including on purpose the name of an XSS payload. Once created, if a user with admin privileges clicks on the edited network maps, the XSS payload will be executed. The exploitation of this vulnerability could allow an atacker to steal the value of the admin user´s cookie.

Affected products Warnungen 0 Metrics 3 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Pandorafms ≫ Pandora Fms Version < 766

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.2%	0.418

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cve-coordination@incibe.es	5.2	0.9	4.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/

Vendor Advisory

https://github.com/Argonx21/CVE-2022-43980

https://nvd.nist.gov/vuln/detail/CVE-2022-43980

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-43980

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-43980

EUVD