CVE-2022-45436

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

I

mproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all platforms, allows Cross-Site Scripting (XSS). As a manager privilege user , create a network map containing name as xss payload. Once created, admin user must click on the edit network maps and XSS payload will be executed, which could be used for stealing admin users cookie value.

References

Link	Resource
https://gist.github.com/damodarnaik/ac07a179972cd4d508f246e9bc5500e7
https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/	Vendor Advisory
https://gist.github.com/damodarnaik/ac07a179972cd4d508f246e9bc5500e7
https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pandorafms:pandora_fms:765:*:*:*:*:*:*:*

History

21 Nov 2024, 07:29

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~4.8~~	v2 : unknown v3 : 6.1
References	~~() https://gist.github.com/damodarnaik/ac07a179972cd4d508f246e9bc5500e7 -~~	() https://gist.github.com/damodarnaik/ac07a179972cd4d508f246e9bc5500e7 -
References	~~() https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ - Vendor Advisory~~	() https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/ - Vendor Advisory

Information

Published : 2023-02-15 04:15

Updated : 2024-11-21 07:29

NVD link : CVE-2022-45436

Mitre link : CVE-2022-45436

CVE.ORG link : CVE-2022-45436

JSON object : View

Products Affected

pandora_fms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-45436", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2023-02-15T04:15:10.613", "references": [{"url": "https://gist.github.com/damodarnaik/ac07a179972cd4d508f246e9bc5500e7", "source": "[email protected]"}, {"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://gist.github.com/damodarnaik/ac07a179972cd4d508f246e9bc5500e7", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artica PFMS Pandora FMS v765 on all platforms, allows Cross-Site Scripting (XSS). As a manager privilege user , create a network map containing name as xss payload. Once created, admin user must click on the edit network maps and XSS payload will be executed, which could be used for stealing admin users cookie value.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de la p\u00e1gina web en Artica PFMS Pandora FMS v765 en todas las plataformas, permite Cross-Site Scripting (XSS). Como usuario con privilegios de administrador, crea un mapa de red que contiene el nombre como payload xss. Una vez creado, el usuario administrador debe hacer clic en la edici\u00f3n de mapas de red y se ejecutar\u00e1 el payload XSS, que podr\u00eda ser utilizado para robar el valor de la cookie de los usuarios administradores."}], "lastModified": "2024-11-21T07:29:15.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pandorafms:pandora_fms:765:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09E9C019-B213-42AF-8555-3ACBA24596FD"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}