CVE-2010-4282

2010-12-0217:15:00

CWE-22

[email protected]

web.nvd.nist.gov

pandora fms

directory traversal

vulnerabilities

remote attackers

arbitrary files

nvd

7.2 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.012 Low

EPSS

Percentile

85.1%

JSON

Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.

CPENameOperatorVersion
artica:pandora_fmsartica pandora fmseq1.3
artica:pandora_fmsartica pandora fmseq1.2
artica:pandora_fmsartica pandora fmseq2.1.1
artica:pandora_fmsartica pandora fmsle3.1
artica:pandora_fmsartica pandora fmseq3.0
artica:pandora_fmsartica pandora fmseq2.0
artica:pandora_fmsartica pandora fmseq1.3.1
artica:pandora_fmsartica pandora fmseq2.1

CPE	Name	Operator	Version
artica:pandora_fms	artica pandora fms	eq	1.3
artica:pandora_fms	artica pandora fms	eq	1.2
artica:pandora_fms	artica pandora fms	eq	2.1.1
artica:pandora_fms	artica pandora fms	le	3.1
artica:pandora_fms	artica pandora fms	eq	3.0
artica:pandora_fms	artica pandora fms	eq	2.0
artica:pandora_fms	artica pandora fms	eq	1.3.1
artica:pandora_fms	artica pandora fms	eq	2.1

References

osvdb.org/69543

osvdb.org/69544

osvdb.org/69545

seclists.org/fulldisclosure/2010/Nov/326

secunia.com/advisories/42347

sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download

www.exploit-db.com/exploits/15643

www.securityfocus.com/archive/1/514939/100/0/threaded

www.securityfocus.com/bid/45112