Skip to main content

Pandora Fms CVE-2019-13035

HIGH
2019-06-29 cve@mitre.org
7.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 29, 2019 - 13:15 nvd
HIGH 7.8

DescriptionNVD

Artica Pandora FMS 7.0 NG before 735 suffers from local privilege escalation due to improper permissions on C:\PandoraFMS and its sub-folders, allowing standard users to create new files. Moreover, the Apache service httpd.exe will try to execute cmd.exe from C:\PandoraFMS (the current directory) as NT AUTHORITY\SYSTEM upon web requests to the portal. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM.

AnalysisAI

Artica Pandora FMS 7.0 NG before 735 suffers from local privilege escalation due to improper permissions on C:\PandoraFMS and its sub-folders, allowing standard users to create new files. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

Artica Pandora FMS 7.0 NG before 735 suffers from local privilege escalation due to improper permissions on C:\PandoraFMS and its sub-folders, allowing standard users to create new files. Moreover, the Apache service httpd.exe will try to execute cmd.exe from C:\PandoraFMS (the current directory) as NT AUTHORITY\SYSTEM upon web requests to the portal. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. Affected products include: Pandorafms Pandora Fms. Version information: before 735.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-12971 HIGH POC
8.6 Mar 17

Pandora FMS monitoring platform versions 700 through 777.6 contain a command injection vulnerability that allows OS comm

CVE-2025-5306 CRITICAL POC
9.8 Jun 27

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue af

CVE-2025-34088 HIGH POC
8.6 Jul 03

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php

CVE-2020-13851 HIGH POC
8.8 Jun 11

Artica Pandora FMS 7.44 allows remote command execution via the events feature. Rated high severity (CVSS 8.8), this vul

CVE-2024-11320 MEDIUM POC
6.9 Nov 21

Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication me

CVE-2021-34074 CRITICAL POC
9.8 Jun 25

PandoraFMS <=7.54 allows arbitrary file upload, it leading to remote command execution via the File Manager. Rated criti

CVE-2021-32099 CRITICAL POC
9.8 May 07

A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attac

CVE-2021-32098 CRITICAL POC
9.8 May 07

Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. Rated critical severity (CVSS 9

CVE-2020-26518 CRITICAL POC
9.8 Oct 02

Artica Pandora FMS before 743 allows unauthenticated attackers to conduct SQL injection attacks via the pandora_console/

CVE-2020-13854 CRITICAL POC
9.8 Jun 11

Artica Pandora FMS 7.44 allows privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2020-11749 CRITICAL POC
9.0 Jul 13

Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. Rated critical severity

CVE-2020-13850 HIGH POC
7.5 Jun 11

Artica Pandora FMS 7.44 has inadequate access controls on a web folder. Rated high severity (CVSS 7.5), this vulnerabili

Share

CVE-2019-13035 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy