Artica Pandora Fms vulnerabilities
67 known vulnerabilities affecting artica/pandora_fms.
Total CVEs
67
CISA KEV
0
Public exploits
13
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH29MEDIUM20
Vulnerabilities
Page 3 of 4
CVE-2023-41808P3HIGHCVSS 7.5≥ 700, ≤ 7732023-11-23
CVE-2023-41808 [HIGH] CWE-269 CVE-2023-41808: Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability allows an unauthorised user to escalate and read sensitive files as if they were root. This issue affects Pandora FMS: from 700 through 773.
nvd
CVE-2026-30807P3HIGHCVSS 8.8fixed in 777.17≥ 778, < 8022026-05-12
CVE-2026-30807 [HIGH] CWE-352 CVE-2026-30807: Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via craf
Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2020-8500P3HIGHCVSS 7.2v7.422020-03-02
CVE-2020-8500 [HIGH] CWE-434 CVE-2020-8500: In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via
In Artica Pandora FMS 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the Updater or Extension component. NOTE: The vendor reports that this is intended functionality
nvd
CVE-2026-30808P3HIGHCVSS 8.1fixed in 777.17≥ 778, < 8022026-05-12
CVE-2026-30808 [HIGH] CWE-384 CVE-2026-30808: Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects P
Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2020-8511P3HIGHCVSS 7.2≤ 7.422020-03-23
CVE-2020-8511 [HIGH] CVE-2020-8511: In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php f
In Artica Pandora FMS through 7.42, Web Admin users can execute arbitrary code by uploading a .php file via the File Repository component, a different issue than CVE-2020-7935 and CVE-2020-8500.
nvd
CVE-2017-15935P3HIGHCVSS 7.2v7.02017-10-27
CVE-2017-15935 [HIGH] CWE-94 CVE-2017-15935: Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files
Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file.
nvd
CVE-2023-41806P3HIGHCVSS 7.5≥ 700, ≤ 7732023-11-23
CVE-2023-41806 [HIGH] CWE-269 CVE-2023-41806: Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This
Improper Privilege Management vulnerability in Pandora FMS on all allows Privilege Escalation. This vulnerability causes that a bad privilege assignment could cause a DOS attack that affects the availability of the Pandora FMS server. This issue affects Pandora FMS: from 700 through 773.
nvd
CVE-2023-41787P3HIGHCVSS 7.5≥ 700, < 7732023-11-23
CVE-2023-41787 [HIGH] CWE-427 CVE-2023-41787: Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating
Uncontrolled Search Path Element vulnerability in Pandora FMS on all allows Leveraging/Manipulating Configuration File Search Paths. This vulnerability allows access to files with sensitive information. This issue affects Pandora FMS: from 700 through 772.
nvd
CVE-2026-30811P3MEDIUMCVSS 6.5≥ 777, < 800.12026-04-13
CVE-2026-30811 [MEDIUM] CWE-276 CVE-2026-30811: Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpo
Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2021-32100P3MEDIUMCVSS 6.5v7422021-05-07
CVE-2021-32100 [MEDIUM] CVE-2021-32100: A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest pr
A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user.
nvd
CVE-2023-41786P3MEDIUMCVSS 6.5≥ 700, < 7732023-11-23
CVE-2023-41786 [MEDIUM] CWE-200 CVE-2023-41786: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allow
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772.
nvd
CVE-2023-41793P3MEDIUMCVSS 6.5≥ 700, < 7762024-03-19
CVE-2023-41793 [MEDIUM] CWE-35 CVE-2023-41793: : Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allow
: Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776.
nvd
CVE-2019-20050P3MEDIUMCVSS 6.8v7.422020-01-30
CVE-2019-20050 [MEDIUM] CWE-78 CVE-2019-20050: Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability,
Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a "tricky" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type.
nvd
CVE-2023-44090P4MEDIUMCVSS 6.4≥ 700, < 7762024-03-19
CVE-2023-44090 [MEDIUM] CVE-2023-44090: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. This issue affects Pandora FMS: from 700 through <776.
nvd
CVE-2021-34075P4MEDIUMCVSS 5.9≤ 7542021-06-30
CVE-2021-34075 [MEDIUM] CWE-522 CVE-2021-34075: In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on
In Artica Pandora FMS <=754 in the File Manager component, there is sensitive information exposed on the client side which attackers can access.
nvd
CVE-2017-15937P4MEDIUMCVSS 6.5v7.02017-10-27
CVE-2017-15937 [MEDIUM] CWE-200 CVE-2017-15937: Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the
Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX).
nvd
CVE-2021-36697P4MEDIUMCVSS 6.7≤ 7552021-11-03
CVE-2021-36697 [MEDIUM] CWE-74 CVE-2021-36697: With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the Fi
With an admin account, the .htaccess file in Artica Pandora FMS <=755 can be overwritten with the File Manager component. The new .htaccess file contains a Rewrite Rule with a type definition. A normal PHP file can be uploaded with this new "file type" and the code can be executed with an HTTP request.
nvd
CVE-2021-46681P4MEDIUMCVSS 6.1fixed in 7572022-08-05
CVE-2021-46681 [MEDIUM] CWE-79 CVE-2021-46681: A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform j
A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field.
nvd
CVE-2026-30812P4MEDIUMCVSS 5.4≥ 777, < 800.12026-04-13
CVE-2026-30812 [MEDIUM] CWE-79 CVE-2026-30812: Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site S
Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800
nvd
CVE-2023-41789P4MEDIUMCVSS 6.1≥ 700, ≤ 7732023-11-23
CVE-2023-41789 [MEDIUM] CWE-79 CVE-2023-41789: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773.
nvd