Improper Authorization in User Management to Vertical Privilege Escalation in pandorafms/pandorafms

Valid

Reported on

Feb 25th 2022


Description

Pandora FMS v7.0NG.759 allows improper authorization in User Management where any authenticated user with access to the User Management module could create, modify, delete any user with full admin privilege. The impact could lead to vertical privilege escalation to access the privileges of a higher-level user or typically an admin user.

Proof of Concept

Affected endpoints:

1 POST http://$HOST/pandora_console/index.php?sec=gusuarios&sec2=godmode/users/configure_user&pure=0
2 POST http://$HOST/pandora_console/index.php?sec=gusuarios&sec2=godmode/users/user_list&pure=0
.

PoC image:

Modify own account to admin privilege
Create new account with admin privilege
Delete existing admin

Impact

This vulnerability is capable of modifying higher privilege accounts thus leading to vertical privilege escalation.

We are processing your report and will contact the pandorafms team within 24 hours. 9 months ago
We have contacted a member of the pandorafms team and are waiting to hear back 9 months ago
We have sent a follow up to the pandorafms team. We will try again in 7 days. 9 months ago
pandorafms/pandorafms maintainer
9 months ago

Maintainer


As an official CNA, we have reserved the following CVE ( CVE-2022-26310 ) and this vulnerability will be fixed in version v761.

We have sent a second follow up to the pandorafms team. We will try again in 10 days. 9 months ago
We have sent a third and final follow up to the pandorafms team. This report is now considered stale. 9 months ago
Faisal Fs ⚔️ modified the report
2 months ago
to join this conversation