CVE-2021-35501

2021-06-25T00:00:00
ID AKB:64B1C754-763D-4EF4-95D4-31D3E479C599
Type attackerkb
Reporter AttackerKB
Modified 2021-07-02T00:00:00

Description

PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.

Recent assessments:

nu11secur1ty at July 12, 2021 8:57am UTC reported:

PandoraFMS <=7.54 allows Stored XSS by placing a payload in the name field of a visual console. When a user or an administrator visits the console, the XSS payload will be executed.

Reproduce:

    • Stored XSS
      <https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-35501>

Proof:

<https://streamable.com/yjr0fm>

PHPSESSID PWNED

<https://packetstormsecurity.com/files/163466/Pandora-FMS-7.54-Cross-Site-Scripting.html>
<https://streamable.com/b7xt4g>

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4