Cross-Site Request Forgery (CSRF) to User Privilege Escalation in pandorafms/pandorafms

Valid

Reported on

Feb 19th 2022


Description

Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk operation (User operation) resulting in elevation of privilege to Administrator group.

Detail

Version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51
Affected components: Console

Proof of Concept

Affected Endpoint:

POST http://$HOST/pandora_console/index.php?sec=gmassive&sec2=godmode/massive/massive_operations&tab=massive_users&option=add_profiles

~

PoC file: adding attacker into Admin group, password: dejy7ecw7y

Impact

This vulnerability is capable of adding an attacker account into the Administrator group resulting in elevation of privilege.

We are processing your report and will contact the pandorafms team within 24 hours. 9 months ago
Faisal Fs ⚔️ modified the report
9 months ago
Faisal Fs ⚔️ modified the report
9 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 9 months ago
We have contacted a member of the pandorafms team and are waiting to hear back 9 months ago
We have sent a follow up to the pandorafms team. We will try again in 7 days. 9 months ago
pandorafms/pandorafms maintainer modified the report
9 months ago
Faisal Fs ⚔️
9 months ago

Researcher


Hi, is it supposed to be addressed as low severity?

We have sent a second follow up to the pandorafms team. We will try again in 10 days. 9 months ago
pandorafms/pandorafms maintainer
9 months ago

Maintainer


As an official CNA, we have reserved the following CVE ( CVE-2022-26308 ) and this vulnerability will be fixed in version v761.

We have sent a third and final follow up to the pandorafms team. This report is now considered stale. 9 months ago
Faisal Fs ⚔️ modified the report
a month ago
Faisal Fs ⚔️
a month ago

Researcher


Pandora FMS Advisory:

to join this conversation