Pandora Fms

SQL injection in Pandora FMS versions 777-800 allows authenticated attackers with low privileges to exfiltrate or manipulate database contents via the graph container parameter. Attack complexity is high with present attack techniques, requiring specific timing conditions. No active exploitation confirmed per CISA KEV, and EPSS data not provided. Vendor advisory available from PandoraFMS confirms the vulnerability affecting a narrow version range spanning approximately builds 777 through 800.

Server-Side Request Forgery (SSRF) in Pandora FMS versions 777-800 enables authenticated attackers to escalate privileges through the API Checker extension. Attackers with low-privilege network access can force the server to make arbitrary requests, potentially accessing internal resources and escalating to higher confidentiality impact (CVSS VC:H). EPSS data not available; no confirmed active exploitation (not in CISA KEV). Vendor has acknowledged the issue per PandoraFMS security advisory, indicating patch development is likely underway.

Cross-Site Request Forgery in Pandora FMS versions 777 through 800 enables attackers to execute unauthorized administrative actions through victim interaction with malicious web pages. The network-accessible attack requires no authentication but depends on user interaction (CVSS AV:N/PR:N/UI:P), allowing high integrity impact (VI:H) with limited confidentiality exposure (VC:L). No active exploitation confirmed (CISA KEV not listed), EPSS data not available for assessment. Vendor Pandora FMS has acknowledged the vulnerability with public disclosure.

Authentication bypass in Pandora FMS versions 777-800 allows remote attackers to gain unauthorized API access via insecure default resource initialization. The vulnerability stems from CWE-1188 (default credentials or configuration), enabling attackers to bypass authentication mechanisms and access the API with high confidentiality and integrity impact. CVSS 4.0 scores this at 9.1 CRITICAL due to network attack vector requiring no privileges or user interaction, though attack complexity is high and specific timing conditions apply (AT:P). No CISA KEV listing or public POC identified at time of analysis, suggesting exploitation requires vendor-specific knowledge of the insecure defaults.

OS command injection in Pandora FMS versions 777 through 800 enables high-privileged remote attackers to execute arbitrary operating system commands through the Event Response execution functionality. While requiring administrative credentials (PR:H), successful exploitation grants extensive system access with high confidentiality and integrity impact. No public exploit identified at time of analysis, though the specific attack vector through Event Response features provides a clear exploitation pathway for authenticated administrators or compromised admin accounts.

SQL injection in Pandora FMS versions 777 through 800 enables authenticated remote attackers to execute arbitrary SQL commands via specially crafted custom field inputs, potentially exposing sensitive monitoring data, modifying database contents, or compromising the underlying infrastructure management system. The vulnerability requires low-privilege authentication (PR:L) but has high confidentiality and integrity impact across the monitoring platform. No public exploit code or active exploitation confirmed at time of analysis, though the straightforward attack complexity (AC:L) and network accessibility (AV:N) elevate real-world risk for internet-exposed Pandora FMS instances.

SQL injection in Pandora FMS module search functionality allows authenticated attackers to extract, modify, or delete database contents across versions 777 through 800. Attackers with low-level privileges can execute arbitrary SQL commands through improperly sanitized search parameters, leading to high confidentiality and integrity impact. No confirmed active exploitation (CISA KEV) at time of analysis, though the straightforward attack vector (network-accessible, low complexity, authenticated) and limited scope suggest moderate real-world risk for exposed instances.

Stored Cross-Site Scripting (XSS) in Pandora FMS versions 777 through 800 allows authenticated users with low privileges to inject malicious scripts via event comments, which execute in the browsers of other users viewing those comments. The vulnerability has a CVSS score of 2.1 with low confidentiality and integrity impact, requiring user interaction and attack preparation time to exploit. No public exploit code or active exploitation has been identified.

Unauthorized access to configuration endpoints in Pandora FMS versions 777 through 800 exposes sensitive system information to low-privileged authenticated users. The missing authorization control (CWE-276) allows privilege escalation where authenticated users can access configuration data they should not have permissions to view, potentially revealing credentials, internal architecture details, and security settings. With CVSS 8.4 (High) and low attack complexity, this vulnerability poses significant risk in multi-tenant or role-separated Pandora FMS deployments. No public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, requires only basic authentication) makes exploitation highly feasible.

OS command injection in Pandora FMS versions 777 through 800 allows authenticated remote attackers to execute arbitrary system commands via the WebServerModuleDebug component. With low attack complexity and no user interaction required, attackers with low-level privileges can achieve high confidentiality and integrity impact on the vulnerable system, plus limited impact on connected systems (CVSS 8.7). No public exploit identified at time of analysis, though the vulnerability has medium remediation effort according to CVSS 4.0 metadata.

OS command injection in Pandora FMS versions 777 through 800 allows authenticated remote attackers to execute arbitrary system commands via the Network Report functionality. The vulnerability stems from improper input sanitization of special elements used in OS commands. With CVSS 8.7 (HIGH) severity and network-accessible attack vector requiring only low privileges, this poses significant risk to monitoring infrastructure despite no confirmed active exploitation (not in CISA KEV) or public exploit code at time of analysis.

Remote code execution in Pandora FMS versions 777 through 800 enables authenticated administrators to upload malicious files and execute arbitrary code on the server. The vulnerability stems from inadequate file type validation during upload operations, allowing attackers with high-privilege credentials to bypass security controls. With a CVSS 4.0 score of 8.6 and attack complexity rated as low, this represents a significant risk for organizations using affected versions, though exploitation requires prior administrative access to the monitoring platform.

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778

Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE.6 . Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Pandora FMS monitoring platform versions 700 through 777.6 contain a command injection vulnerability that allows OS command execution. The improper neutralization of special elements in monitoring agent communication enables attackers to execute arbitrary commands on the Pandora FMS server with the application's privileges.