Webchat history is accessible without authentication in FMS<= 7.42 - cve-2020-8497
Last Modified: 2024.01.19.
If you find it valuable, you can support me by making a donation. Donate now.
Technical Details
In Artica Pandora FMS 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps.
http://.../pandora_console/attachment/pandora_chat.log.json.txt
Unfortunately there are live installations with this bug and the chat history is visible like this. I got in touch with the vendor and they fixed it in Pandora FMS 744.
Additional Content
Demo Video
© 2019-2024 Kamilló Matek (k4m1ll0) All Rights Reserved