VYPR

Pandorafms

by Artica

CVEs (46)

  • CVE-2018-11222HigJun 16, 2018
    risk 0.49cvss 7.5epss 0.07

    Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.

  • CVE-2026-34188HigApr 13, 2026
    risk 0.47cvss 7.2epss 0.01

    Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800

  • CVE-2026-30804HigApr 13, 2026
    risk 0.47cvss 7.2epss 0.00

    Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800

  • CVE-2020-8511HigMar 23, 2020
    risk 0.47cvss 7.2epss 0.03

    In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500.

  • CVE-2020-7935HigMar 23, 2020
    risk 0.47cvss 7.2epss 0.03

    Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The…

  • CVE-2020-8500HigMar 2, 2020
    risk 0.47cvss 7.2epss 0.04

    In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality

  • CVE-2017-15935HigOct 27, 2017
    risk 0.47cvss 7.2epss 0.03

    Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file.

  • CVE-2021-36697MedNov 3, 2021
    risk 0.44cvss 6.7epss 0.00

    With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be…

  • CVE-2026-30811MedApr 13, 2026
    risk 0.42cvss 6.5epss 0.00

    Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800

  • CVE-2022-45437MedFeb 15, 2023
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all allows Cross-Site Scripting (XSS). A user with edition privileges can create a Payload in the reporting dashboard module. An admin user can…

  • CVE-2021-32100MedMay 7, 2021
    risk 0.42cvss 6.5epss 0.03

    A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user.

  • CVE-2017-15937MedOct 27, 2017
    risk 0.42cvss 6.5epss 0.01

    Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX).

  • CVE-2022-45436MedFeb 15, 2023
    risk 0.40cvss 6.1epss 0.01

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all platforms, allows Cross-Site Scripting (XSS). As a manager privilege user , create a network map containing name as xss payload. Once…

  • CVE-2021-34075MedJun 30, 2021
    risk 0.38cvss 5.9epss 0.01

    In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access.

  • CVE-2026-30812MedApr 13, 2026
    risk 0.35cvss 5.4epss 0.00

    Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800

  • CVE-2020-13853MedJun 11, 2020
    risk 0.35cvss 5.4epss 0.01

    Artica Pandora FMS 7.44 has persistent XSS in the Messages feature.

  • CVE-2020-8497MedMar 23, 2020
    risk 0.35cvss 5.3epss 0.05

    In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps.

  • CVE-2018-11223MedJun 16, 2018
    risk 0.35cvss 5.4epss 0.01

    XSS in Artica Pandora FMS before 7.0 NG 723 allows an attacker to execute arbitrary code via a crafted "refr" parameter in a "/pandora_console/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=" call.

  • CVE-2017-15936MedOct 27, 2017
    risk 0.35cvss 5.4epss 0.01

    In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed.

  • CVE-2017-15934MedOct 27, 2017
    risk 0.35cvss 5.4epss 0.01

    Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter.