EUVD-2025-17710CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/R:U/V:D/RE:M/U:Green
Lifecycle Timeline
3Tags
Description
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
Analysis
OS command injection vulnerability in the backup name field of Pandora ITSM 5.0.105 that results from improper neutralization of special elements (CWE-77). An authenticated attacker with high privileges can inject arbitrary OS commands through the backup name parameter, potentially achieving code execution with high confidentiality impact. The CVSS 7.0 score reflects the requirement for privileged access (PR:H), but the network-accessible attack vector (AV:N) and low attack complexity (AC:L) indicate this is a practical threat in enterprise environments where administrative accounts may be compromised or abused.
Technical Context
This vulnerability exploits unsafe handling of user input in the backup functionality of Pandora ITSM. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), which occurs when application developers fail to sanitize or escape special shell metacharacters (e.g., backticks, pipes, semicolons, command substitution operators) before passing user-controlled input to OS command execution functions (such as system(), exec(), or shell_exec() in PHP; os.system() in Python; Runtime.exec() in Java, etc.). Pandora ITSM 5.0.105 appears to construct OS-level backup commands dynamically using the backup name field without adequate input validation. The affected product is identified by the Pandora ITSM application stack, commonly deployed in ITSM/ticketing environments. The vulnerability is specific to version 5.0.105 and potentially earlier versions depending on when the flaw was introduced.
Affected Products
Pandora ITSM version 5.0.105 is explicitly identified as vulnerable. The vulnerability likely affects other versions in the 5.x line unless specific patches are released; earlier versions (4.x and below) should be assessed for similar flaws. Customers should consult Pandora vendor advisories to determine the full affected version range and whether versions 5.0.106+ contain patches. The exact CPE string would be: cpe:2.3:a:pandora:pandora_itsm:5.0.105:*:*:*:*:*:*:* (standard CPE v2.3 format). Deployments running Pandora ITSM in multi-tenant or shared infrastructure with elevated privilege escalation risks are at heightened risk.
Remediation
Immediate actions: (1) Upgrade Pandora ITSM to the latest patched version (5.0.106 or later, pending vendor release confirmation); (2) Apply vendor-provided security patches from Pandora's official advisory and patch repository; (3) Restrict administrative access to the backup functionality via role-based access control (RBAC) and principle of least privilege—limit backup name field edits to trusted administrators only; (4) Implement input validation and sanitization: enforce whitelist-based filename rules (alphanumeric, hyphens, underscores only; reject special shell metacharacters); (5) Avoid passing user input directly to shell commands—use safe APIs (parameterized/prepared commands, subprocess.run() with shell=False, etc.); (6) Enable audit logging for all backup operations and monitor for suspicious backup name patterns; (7) Consider network segmentation to limit ITSM admin interface exposure. Workaround: Disable or restrict backup functionality at the network/firewall level if patches are not immediately available, pending maintenance windows.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today