Pandorafms
by Pandorafms
Source repositories
CVEs (82)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-46676 | Med | 0.26 | 4.0 | 0.00 | Aug 5, 2022 | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the transactional maps name field. | ||
| CVE-2023-41814 | Low | 0.24 | 3.7 | 0.00 | Dec 29, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Through an HTML payload (iframe tag) it is possible to carry out XSS attacks when the user receiving the messages opens… | ||
| CVE-2022-26309 | Low | 0.24 | 3.7 | 0.00 | Aug 1, 2022 | Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk operation (User operation) resulting in elevation of privilege to Administrator group. | ||
| CVE-2022-26308 | Low | 0.24 | 3.7 | 0.00 | Aug 1, 2022 | Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role. | ||
| CVE-2022-2059 | Low | 0.23 | 3.5 | 0.00 | Jul 25, 2022 | In Pandora FMS v7.0NG.761 and below, in the agent creation section, the alias parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system. | ||
| CVE-2022-2032 | Low | 0.23 | 3.5 | 0.00 | Jul 25, 2022 | In Pandora FMS v7.0NG.761 and below, in the file manager section, the dirname parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system. | ||
| CVE-2023-41813 | Low | 0.20 | 3.0 | 0.00 | Dec 29, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Allows you to edit the Web Console user notification options. This issue affects Pandora FMS: from 700 through 774. | ||
| CVE-2024-12971 | 0.10 | — | 0.59 | Mar 17, 2025 | Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6 | |||
| CVE-2024-11320 | 0.10 | — | 0.91 | Nov 21, 2024 | Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through <=777.4 | |||
| CVE-2025-34088 | 0.09 | — | 0.05 | Jul 3, 2025 | An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as… | |||
| CVE-2025-5306 | 0.09 | — | 0.20 | Jun 27, 2025 | Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778 | |||
| CVE-2024-35307 | 0.01 | — | 0.01 | Jun 10, 2024 | Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora FMS: from 700 through <777. | |||
| CVE-2024-12992 | 0.00 | — | 0.01 | Mar 17, 2025 | Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. This issue affects Pandora FMS from 700 to 777.6 . | |||
| CVE-2024-35308 | 0.00 | — | 0.01 | Oct 22, 2024 | A post-authentication arbitrary file read vulnerability within the server plugins section in plugin edition feature. This issue affects Pandora FMS: from 700 through <777.3. | |||
| CVE-2024-9987 | 0.00 | — | 0.00 | Oct 22, 2024 | A post-authentication SQL Injection vulnerability within the filters parameter of the extensions/agents_modules_csv functionality. This issue affects Pandora FMS: from 700 through <777.3. | |||
| CVE-2024-35306 | 0.00 | — | 0.01 | Jun 10, 2024 | OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777. | |||
| CVE-2024-35305 | 0.00 | — | 0.00 | Jun 10, 2024 | Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777. | |||
| CVE-2024-35304 | 0.00 | — | 0.01 | Jun 10, 2024 | System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 through <777. | |||
| CVE-2023-41793 | 0.00 | — | 0.00 | Mar 19, 2024 | : Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776. | |||
| CVE-2023-44092 | 0.00 | — | 0.01 | Mar 19, 2024 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Pandora FMS on all allows OS Command Injection. This vulnerability allowed to create a reverse shell and execute commands in the OS. This issue affects Pandora FMS: from… |
- risk 0.26cvss 4.0epss 0.00
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the transactional maps name field.
- risk 0.24cvss 3.7epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Through an HTML payload (iframe tag) it is possible to carry out XSS attacks when the user receiving the messages opens…
- risk 0.24cvss 3.7epss 0.00
Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk operation (User operation) resulting in elevation of privilege to Administrator group.
- risk 0.24cvss 3.7epss 0.00
Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.
- risk 0.23cvss 3.5epss 0.00
In Pandora FMS v7.0NG.761 and below, in the agent creation section, the alias parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.
- risk 0.23cvss 3.5epss 0.00
In Pandora FMS v7.0NG.761 and below, in the file manager section, the dirname parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.
- risk 0.20cvss 3.0epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Allows you to edit the Web Console user notification options. This issue affects Pandora FMS: from 700 through 774.
- CVE-2024-12971Mar 17, 2025risk 0.10cvss —epss 0.59
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6
- CVE-2024-11320Nov 21, 2024risk 0.10cvss —epss 0.91
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through <=777.4
- CVE-2025-34088Jul 3, 2025risk 0.09cvss —epss 0.05
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as…
- CVE-2025-5306Jun 27, 2025risk 0.09cvss —epss 0.20
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778
- CVE-2024-35307Jun 10, 2024risk 0.01cvss —epss 0.01
Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora FMS: from 700 through <777.
- CVE-2024-12992Mar 17, 2025risk 0.00cvss —epss 0.01
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. This issue affects Pandora FMS from 700 to 777.6 .
- CVE-2024-35308Oct 22, 2024risk 0.00cvss —epss 0.01
A post-authentication arbitrary file read vulnerability within the server plugins section in plugin edition feature. This issue affects Pandora FMS: from 700 through <777.3.
- CVE-2024-9987Oct 22, 2024risk 0.00cvss —epss 0.00
A post-authentication SQL Injection vulnerability within the filters parameter of the extensions/agents_modules_csv functionality. This issue affects Pandora FMS: from 700 through <777.3.
- CVE-2024-35306Jun 10, 2024risk 0.00cvss —epss 0.01
OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777.
- CVE-2024-35305Jun 10, 2024risk 0.00cvss —epss 0.00
Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777.
- CVE-2024-35304Jun 10, 2024risk 0.00cvss —epss 0.01
System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 through <777.
- CVE-2023-41793Mar 19, 2024risk 0.00cvss —epss 0.00
: Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776.
- CVE-2023-44092Mar 19, 2024risk 0.00cvss —epss 0.01
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Pandora FMS on all allows OS Command Injection. This vulnerability allowed to create a reverse shell and execute commands in the OS. This issue affects Pandora FMS: from…
Page 4 of 5