Improper Authorization in User Management to Vertical Privilege Escalation in pandorafms/pandorafms


Reported on

Feb 25th 2022


Pandora FMS v7.0NG.759 allows improper authorization in User Management where any authenticated user with access to the User Management module could create, modify, delete any user with full admin privilege. The impact could lead to vertical privilege escalation to access the privileges of a higher-level user or typically an admin user.

Proof of Concept

Affected endpoints:

1 POST http://$HOST/pandora_console/index.php?sec=gusuarios&sec2=godmode/users/configure_user&pure=0
2 POST http://$HOST/pandora_console/index.php?sec=gusuarios&sec2=godmode/users/user_list&pure=0

PoC image:

Modify own account to admin privilege
Create new account with admin privilege
Delete existing admin


This vulnerability is capable of modifying higher privilege accounts thus leading to vertical privilege escalation.

We are processing your report and will contact the pandorafms team within 24 hours. 2 years ago
We have contacted a member of the pandorafms team and are waiting to hear back 2 years ago
We have sent a follow up to the pandorafms team. We will try again in 7 days. 2 years ago
pandorafms/pandorafms maintainer
2 years ago


As an official CNA, we have reserved the following CVE ( CVE-2022-26310 ) and this vulnerability will be fixed in version v761.

We have sent a second follow up to the pandorafms team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the pandorafms team. This report is now considered stale. 2 years ago
Faisal Fs ⚔️ modified the report
a year ago
to join this conversation