ReportizFlow
Filtered by vendor Artica
Subscriptions
Filtered by product Pandora Fms
Subscriptions
Total
56 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-35307 | 2 Artica, Pandorafms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| Argument Injection Leading to Remote Code Execution in Realtime Graph Extension, allowing unauthenticated attackers to execute arbitrary code on the server. This issue affects Pandora FMS: from 700 through <777. | ||||
| CVE-2024-12971 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 8.8 High |
| Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6 | ||||
| CVE-2024-12992 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. This issue affects Pandora FMS from 700 to 777.6 . | ||||
| CVE-2024-35306 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777. | ||||
| CVE-2024-35305 | 1 Artica | 1 Pandora Fms | 2025-09-16 | 9.8 Critical |
| Unauth Time-Based SQL Injection in API allows to exploit HTTP request Authorization header. This issue affects Pandora FMS: from 700 through <777. | ||||
| CVE-2024-35304 | 2 Artica, Pandorafms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| System command injection through Netflow function due to improper input validation, allowing attackers to execute arbitrary system commands. This issue affects Pandora FMS: from 700 through <777. | ||||
| CVE-2023-44092 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 7.6 High |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Pandora FMS on all allows OS Command Injection. This vulnerability allowed to create a reverse shell and execute commands in the OS. This issue affects Pandora FMS: from 700 through <776. | ||||
| CVE-2023-44091 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 7.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL Injection. This ulnerability allowed SQL injections to be made even if authentication failed.This issue affects Pandora FMS: from 700 through <776. | ||||
| CVE-2023-44090 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 6.8 Medium |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows CVE-2008-5817. This vulnerability allowed SQL changes to be made to several files in the Grafana module. This issue affects Pandora FMS: from 700 through <776. | ||||
| CVE-2023-41793 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 6.7 Medium |
| : Path Traversal vulnerability in Pandora FMS on all allows Path Traversal. This vulnerability allowed changing directories and creating files and downloading them outside the allowed directories. This issue affects Pandora FMS: from 700 through <776. | ||||
| CVE-2025-5306 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-09-16 | 9.8 Critical |
| Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778 | ||||
| CVE-2014-125124 | 3 Artica, Pandora Fms, Pandorafms | 4 Pandora Fms, Pandora Fms, Artica Pandora Fms and 1 more | 2025-07-31 | N/A |
| An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials. | ||||
| CVE-2014-125115 | 2 Artica, Pandora Fms | 2 Pandora Fms, Pandora Fms | 2025-07-31 | N/A |
| An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution. | ||||
| CVE-2023-41791 | 1 Artica | 1 Pandora Fms | 2025-06-03 | 8.4 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773. | ||||
| CVE-2017-15937 | 1 Artica | 1 Pandora Fms | 2025-04-20 | N/A |
| Artica Pandora FMS version 7.0 leaks a full installation pathname via GET data when intercepting the main page's graph requisition. This also implies that general OS information is leaked (e.g., a /var/www pathname typically means Linux or UNIX). | ||||
| CVE-2017-15936 | 1 Artica | 1 Pandora Fms | 2025-04-20 | N/A |
| In Artica Pandora FMS version 7.0, an Attacker with write Permission can create an agent with an XSS Payload; when a user enters the agent definitions page, the script will get executed. | ||||
| CVE-2017-15934 | 1 Artica | 1 Pandora Fms | 2025-04-20 | N/A |
| Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scripting in the map name parameter. | ||||
| CVE-2017-15935 | 1 Artica | 1 Pandora Fms | 2025-04-20 | N/A |
| Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execution through the manager files function. This is only exploitable by administrators who upload a PHP file. | ||||
| CVE-2010-4281 | 1 Artica | 1 Pandora Fms | 2025-04-11 | N/A |
| Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character. | ||||
| CVE-2010-4282 | 1 Artica | 1 Pandora Fms | 2025-04-11 | N/A |
| Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php. | ||||