CVE-2020-5844
published 2020-03-16CVE-2020-5844: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and…
PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
30.25%
98.0th percentile
index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica | pandora_fms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests to /pandora_console/images/*.php?cmd= — this pattern indicates web shell execution after successful upload to the images directory. ↗
- →Alert on POST requests to /pandora_console/index.php?login=1 followed shortly by file upload requests to godmode/setup/file_manager — this sequence indicates authenticated exploitation of CVE-2020-5844. ↗
- →The exploit uses a fixed multipart boundary value (308045185511758964171231871874) which can be used as a network signature to detect exploit tool usage. ↗
- ·The exploit requires authenticated administrator credentials or a valid PHPSESSID — this is an authenticated RCE, not unauthenticated. Detection should account for prior valid login sessions. ↗
- ·The web shell is executed via base64 decoding of the file location path, not a direct URL — detection rules should account for this indirect execution mechanism. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.htmlhttps://github.com/TheCyberGeek/CVE-2020-5844https://pandorafms.comhttp://packetstormsecurity.com/files/167503/Pandora-FMS-7.0NG.742-Remote-Code-Execution.htmlhttps://github.com/TheCyberGeek/CVE-2020-5844https://pandorafms.com
2020-03-16
Published