Pandorafms
by Artica
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-11222 | Hig | 0.49 | 7.5 | 0.07 | Jun 16, 2018 | Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint. | ||
| CVE-2026-34188 | Hig | 0.47 | 7.2 | 0.01 | Apr 13, 2026 | Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800 | ||
| CVE-2026-30804 | Hig | 0.47 | 7.2 | 0.00 | Apr 13, 2026 | Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800 | ||
| CVE-2020-8511 | Hig | 0.47 | 7.2 | 0.03 | Mar 23, 2020 | In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500. | ||
| CVE-2020-7935 | Hig | 0.47 | 7.2 | 0.03 | Mar 23, 2020 | Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The… | ||
| CVE-2020-8500 | Hig | 0.47 | 7.2 | 0.04 | Mar 2, 2020 | In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality | ||
| CVE-2017-15935 | Hig | 0.47 | 7.2 | 0.03 | Oct 27, 2017 | Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file. | ||
| CVE-2021-36697 | Med | 0.44 | 6.7 | 0.00 | Nov 3, 2021 | With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be… | ||
| CVE-2026-30811 | Med | 0.42 | 6.5 | 0.00 | Apr 13, 2026 | Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800 | ||
| CVE-2022-45437 | Med | 0.42 | 6.5 | 0.00 | Feb 15, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all allows Cross-Site Scripting (XSS). A user with edition privileges can create a Payload in the reporting dashboard module. An admin user can… | ||
| CVE-2021-32100 | Med | 0.42 | 6.5 | 0.03 | May 7, 2021 | A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user. | ||
| CVE-2017-15937 | Med | 0.42 | 6.5 | 0.01 | Oct 27, 2017 | Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX). | ||
| CVE-2022-45436 | Med | 0.40 | 6.1 | 0.01 | Feb 15, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all platforms, allows Cross-Site Scripting (XSS). As a manager privilege user , create a network map containing name as xss payload. Once… | ||
| CVE-2021-34075 | Med | 0.38 | 5.9 | 0.01 | Jun 30, 2021 | In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access. | ||
| CVE-2026-30812 | Med | 0.35 | 5.4 | 0.00 | Apr 13, 2026 | Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800 | ||
| CVE-2020-13853 | Med | 0.35 | 5.4 | 0.01 | Jun 11, 2020 | Artica Pandora FMS 7.44 has persistent XSS in the Messages feature. | ||
| CVE-2020-8497 | Med | 0.35 | 5.3 | 0.05 | Mar 23, 2020 | In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps. | ||
| CVE-2018-11223 | Med | 0.35 | 5.4 | 0.01 | Jun 16, 2018 | XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to execute arbitrary code via a crafted "refr" parameter in a "/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=" call. | ||
| CVE-2017-15936 | Med | 0.35 | 5.4 | 0.01 | Oct 27, 2017 | In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed. | ||
| CVE-2017-15934 | Med | 0.35 | 5.4 | 0.01 | Oct 27, 2017 | Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter. |
- risk 0.49cvss 7.5epss 0.07
Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.
- risk 0.47cvss 7.2epss 0.01
Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800
- risk 0.47cvss 7.2epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800
- risk 0.47cvss 7.2epss 0.03
In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500.
- risk 0.47cvss 7.2epss 0.03
Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The…
- risk 0.47cvss 7.2epss 0.04
In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality
- risk 0.47cvss 7.2epss 0.03
Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file.
- risk 0.44cvss 6.7epss 0.00
With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be…
- risk 0.42cvss 6.5epss 0.00
Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800
- risk 0.42cvss 6.5epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all allows Cross-Site Scripting (XSS). A user with edition privileges can create a Payload in the reporting dashboard module. An admin user can…
- risk 0.42cvss 6.5epss 0.03
A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user.
- risk 0.42cvss 6.5epss 0.01
Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX).
- risk 0.40cvss 6.1epss 0.01
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all platforms, allows Cross-Site Scripting (XSS). As a manager privilege user , create a network map containing name as xss payload. Once…
- risk 0.38cvss 5.9epss 0.01
In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access.
- risk 0.35cvss 5.4epss 0.00
Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800
- risk 0.35cvss 5.4epss 0.01
Artica Pandora FMS 7.44 has persistent XSS in the Messages feature.
- risk 0.35cvss 5.3epss 0.05
In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps.
- risk 0.35cvss 5.4epss 0.01
XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to execute arbitrary code via a crafted "refr" parameter in a "/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=" call.
- risk 0.35cvss 5.4epss 0.01
In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.
- risk 0.35cvss 5.4epss 0.01
Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter.
Page 2 of 3