Cross-Site Request Forgery (CSRF) to User Privilege Escalation in pandorafms/pandorafms
Feb 19th 2022
Pandora FMS v7.0NG.759 allows Cross-Site Request Forgery in Bulk operation (User operation) resulting in elevation of privilege to Administrator group.
Version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51
Affected components: Console
Proof of Concept
PoC file: adding attacker into Admin group, password:
This vulnerability is capable of adding an attacker account into the Administrator group resulting in elevation of privilege.