CVE-2025-4678

| EUVD-2025-17709 HIGH
2025-06-10 [email protected]
7.0
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/R:U/V:D/RE:M/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
N

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17709
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 16:15 nvd
HIGH 7.0

Tags

Command Injection

Description

Improper Neutralization of Special Elements in the chromium_path variable may allow OS command injection. This issue affects Pandora ITSM 5.0.105.

Analysis

CVE-2025-4678 is an OS command injection vulnerability in Pandora ITSM 5.0.105 where the chromium_path variable fails to properly neutralize special elements, allowing authenticated attackers with high privileges to execute arbitrary system commands. With a CVSS score of 7.0 and network-accessible attack vector, this vulnerability poses a significant risk to affected deployments, particularly if the system is exposed to untrusted administrative users or if privilege escalation chains exist.

Technical Context

This vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in a Command), a class of injection flaws where user-controlled or configuration-supplied input is incorporated into system commands without proper sanitization. In Pandora ITSM 5.0.105, the chromium_path parameter—likely used to specify the location of the Chromium browser binary for rendering or report generation—is passed to a system command execution function without adequate input validation or escaping. An attacker can inject shell metacharacters (such as semicolons, pipes, backticks, or command substitution syntax) into this variable to break out of the intended command context and execute arbitrary commands with the privileges of the application process. The vulnerability affects Pandora ITSM specifically in version 5.0.105, identifiable via CPE as pandora:pandora_itsm:5.0.105.

Affected Products

- vendor: Pandora; product: Pandora ITSM; version: 5.0.105; cpe: cpe:2.3:a:pandora:pandora_itsm:5.0.105:*:*:*:*:*:*:*; status: Vulnerable

Remediation

Immediate remediation: (1) Apply the security patch released by Pandora for Pandora ITSM addressing CVE-2025-4678; check Pandora's security advisory or update channels for patched versions (likely 5.0.106 or later). (2) Interim mitigation: restrict administrative access to Pandora ITSM to trusted personnel only and disable or restrict functionality that configures the chromium_path parameter if not essential. (3) Monitor system logs for suspicious command execution patterns originating from the ITSM application process. (4) Implement input validation on the chromium_path parameter by editing configuration files to enforce absolute paths without special characters, if configuration-driven. (5) Run Pandora ITSM with minimal required privileges (non-root) to limit blast radius if exploitation occurs. Consult Pandora's official security advisory or vendor documentation for precise patch availability and deployment instructions.

Priority Score

35
Low Medium High Critical
KEV: 0
EPSS: +0.3
CVSS: +35
POC: 0

Share

CVE-2025-4678 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy