Relative Path Traversal to Remote Code Execution in pandorafms/pandorafms
Feb 20th 2022
Pandora FMS v7.0NG.759 allows relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to Remote Code Execution with running application privilege.
Proof of Concept
Affected version: Pandora FMS v7.0NG.759 - OUM 759 - MR 51
Affected component: Console
Request file passwd:
This vulnerability is capable of executing OS Command with running application privilege.