Artica

Pandora Fms

57 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.2

CVE-2020-8500

Exploit
  • EPSS 1.14%
  • Veröffentlicht 02.03.2020 16:15:12
  • Zuletzt bearbeitet 21.11.2024 05:38:57

In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality

9

CVE-2020-8947

Exploit
  • EPSS 14.27%
  • Veröffentlicht 12.02.2020 18:15:10
  • Zuletzt bearbeitet 21.11.2024 05:39:43

functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than ...

7.1

CVE-2019-20050

Exploit
  • EPSS 3.76%
  • Veröffentlicht 30.01.2020 16:15:11
  • Zuletzt bearbeitet 21.11.2024 04:37:57

Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a "tricky" name in the filemanager. The exploit works when the php-fileinfo extension is disabl...

9

CVE-2019-20224

Exploit
  • EPSS 93.65%
  • Veröffentlicht 09.01.2020 16:15:10
  • Zuletzt bearbeitet 21.11.2024 04:38:14

netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has...

9

CVE-2019-19681

  • EPSS 1.76%
  • Veröffentlicht 26.12.2019 16:15:10
  • Zuletzt bearbeitet 21.11.2024 04:35:10

Pandora FMS 7.x suffers from remote code execution vulnerability. With an authenticated user who can modify the alert system, it is possible to define and execute commands as root/Administrator. NOTE: The product vendor states that the vulnerability ...

7.5

CVE-2018-11222

Exploit
  • EPSS 5.77%
  • Veröffentlicht 16.06.2018 01:29:05
  • Zuletzt bearbeitet 21.11.2024 03:42:56

Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.

9.8

CVE-2018-11221

  • EPSS 16.8%
  • Veröffentlicht 16.06.2018 01:29:05
  • Zuletzt bearbeitet 21.11.2024 03:42:55

Unauthenticated untrusted file upload in Artica Pandora FMS through version 7.23 allows an attacker to upload an arbitrary plugin via include/ajax/update_manager.ajax in the update system.

6.5

CVE-2017-15937

  • EPSS 0.31%
  • Veröffentlicht 27.10.2017 20:29:02
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX).

5.4

CVE-2017-15936

  • EPSS 0.27%
  • Veröffentlicht 27.10.2017 20:29:01
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.

9

CVE-2017-15935

  • EPSS 0.39%
  • Veröffentlicht 27.10.2017 20:29:01
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file.