Detections
Analytics

Pandora FMS <= 5.1 SP1 XSS

medium Nessus Plugin ID 81166

Language:

Synopsis

A web console on the remote host is affected by an XSS vulnerability.

Description

The Pandora FMS console hosted on the remote web server is version 5.1 SP1 or prior. It is, therefore, affected by a cross-site scripting vulnerability due to a flaw in 'index.php' where the 'refr' parameter is not properly validated before being returned to users. This can allow a remote attacker to execute arbitrary script code in a user's browser session.

Note that the vendor supplied fix for this vulnerability does not update the version number reported by the application. If this fix has already been applied, disregard this finding.

Solution

Apply the vendor supplied fix.

See Also

https://blog.pandorafms.org/3271/

Plugin Details

Severity: Medium

ID: 81166

File Name: pandora_fms_5_1_SP1_xss.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 2/4/2015

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:artica:pandora_fms

Required KB Items: Settings/ParanoidReport, installed_sw/Pandora FMS

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 11/17/2014

Vulnerability Publication Date: 11/14/2014

Reference Information

CVE: CVE-2014-8629

BID: 71277