cbcvebase.
CVE-2020-5844
published 2020-03-16

CVE-2020-5844: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and…

PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
30.25%
98.0th percentile
index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.

Affected

1 ranges
VendorProductVersion rangeFixed in
articapandora_fms

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?sec=godmode/extensions&sec2=extensions/files_repo
url/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager
filenameunicord.php
url/pandora_console/images/unicord.php?cmd=whoami
cookiePHPSESSID
  • Detect GET requests to /pandora_console/images/*.php?cmd= — this pattern indicates web shell execution after successful upload to the images directory.
  • Alert on POST requests to /pandora_console/index.php?login=1 followed shortly by file upload requests to godmode/setup/file_manager — this sequence indicates authenticated exploitation of CVE-2020-5844.
  • The exploit uses a fixed multipart boundary value (308045185511758964171231871874) which can be used as a network signature to detect exploit tool usage.
  • ·The exploit requires authenticated administrator credentials or a valid PHPSESSID — this is an authenticated RCE, not unauthenticated. Detection should account for prior valid login sessions.
  • ·The web shell is executed via base64 decoding of the file location path, not a direct URL — detection rules should account for this indirect execution mechanism.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.