cbcvebase.
CVE-2023-44088
published 2023-12-29

CVE-2023-44088: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL Injection. Arbitrary SQL…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.73%
49.6th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL Injection. Arbitrary SQL queries were allowed to be executed using any account with low privileges. This issue affects Pandora FMS: from 700 through 774.

Affected

2 ranges
VendorProductVersion rangeFixed in
pandora_fmspandora_fms700 – 774
pandorafmspandora_fms700 – 774

Detection & IOCsextracted from sources · hover to see the quote

url?sec=network&sec2=godmode/reporting/visual_console_builder&tab=data
url?sec=godmode/reporting/map_builder&sec2=godmode/reporting/map_builder
pathpandora_console/
command{name}.jpg',({query}),'1','1','1','1');-- helloo.jpg
  • Monitor POST requests to the visual_console_builder endpoint (sec2=godmode/reporting/visual_console_builder&tab=data) where the multipart 'background_image' filename field contains SQL metacharacters such as single quotes, parentheses, or SQL comment sequences (e.g., ');-- ).
  • Detect tab-character obfuscation used to bypass space-based WAF/filters: the exploit replaces spaces in the SQL payload with tab characters before sending.
  • Alert on multipart file upload requests to Pandora FMS where the filename parameter in the Content-Disposition header contains SQL injection patterns (quotes, comment markers '--', or stacked query syntax).
  • The exploit requires an authenticated low-privilege session; monitor for low-privilege accounts accessing godmode/reporting paths, which are typically restricted to administrators.
  • Look for the string 'helloo.jpg' in web server access logs or multipart upload filenames as a static artifact left by the public exploit.
  • ·The vulnerability affects Pandora FMS versions 700 through 774; version 775 or later is required to be outside the affected range.
  • ·Exploitation requires a valid authenticated session (any low-privilege account suffices); unauthenticated exploitation is not demonstrated by this exploit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.