Improper Authorization in User Management to Vertical Privilege Escalation in pandorafms/pandorafms

Valid

Reported on

Feb 25th 2022

Description

Pandora FMS v7.0NG.759 allows improper authorization in User Management where any authenticated user with access to the User Management module could create, modify, delete any user with full admin privilege. The impact could lead to vertical privilege escalation to access the privileges of a higher-level user or typically an admin user.

Proof of Concept

Affected endpoints:

1 POST http://$HOST/pandora_console/index.php?sec=gusuarios&sec2=godmode/users/configure_user&pure=0
2 POST http://$HOST/pandora_console/index.php?sec=gusuarios&sec2=godmode/users/user_list&pure=0
.

PoC image:

Modify own account to admin privilege
Create new account with admin privilege
Delete existing admin

Impact

This vulnerability is capable of modifying higher privilege accounts thus leading to vertical privilege escalation.

Occurrences

user_list.php L262-L354

configure_user.php L17-L1981

References

NIST NVD CVE-2022-26310 Detail

We are processing your report and will contact the pandorafms team within 24 hours. 2 years ago

We have contacted a member of the pandorafms team and are waiting to hear back 2 years ago

We have sent a follow up to the pandorafms team. We will try again in 7 days. 2 years ago

A pandorafms/pandorafms maintainer

commented 2 years ago

Maintainer

As an official CNA, we have reserved the following CVE ( CVE-2022-26310 ) and this vulnerability will be fixed in version v761.

We have sent a second follow up to the pandorafms team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the pandorafms team. This report is now considered stale. 2 years ago

Faisal Fs ⚔️ modified the report

a year ago

to join this conversation