Pandora FMS 7.xx Stored XSS vulnerabilities (CVE-2019-19968)

The vendor accepted it as a valid finding and they fixed them in Pandora FMS 743.

In December I found a "Remote Code Execution vulnerability" in Pandora FMS 7.xx (CVE-2019–19681). According to the Vendor, it is not a vulnerability, but NVD/MITRE accepted it as a vulnerability. This CVE is in the DISPUTED state.

Since my purpose is helpful, I tried to find vulnerabilities that are "useful" for them. So I changed my focus and this time my goal was to elevate my privileges from a low-level user to an admin user.

Stored XSS vulnerabilities

I was sure there are other cases, but it was enough to demonstrate the problem. This was around Christmas and I got immediate positive feedback from the vendor. They accepted them as valid findings and they already fixed it in the v743 release.

Note: I used an older software version for demonstration, because I used the vendor provided VMWare Image.

1. Reporting Builder

Reporting -> Custom Reports -> Create report

Old Enviornment 7.xx

1 2 3

New Enviornment 7.42




2. Graph Builder

Reporting -> Custom Graphs -> Create Graph

Old enviornment 7.xx

4 5 6

New Enviornment 7.42

22 23

3. Agent Management

Old enviornment 7.xx

Resources -> Mange Agents -> Create

7 8 9

Additional Content

I made a short demo video on how a real-world attacker could leverage the XSS vulnerability chained with the CVE-2019-19681 CVE to compromise a system with PandoraFMS.