CVE-2020-11749

CRITICAL

Pandorafms Pandora Fms < 746 - XSS

Title source: rule

Description

Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2.

Exploits (1)

exploitdb WORKING POC

by AppleBois · textwebappsphp

https://www.exploit-db.com/exploits/48707

View Code ZIP pw:eip

References (4)

[Various Sources] https://medium.com/%40tehwinsam/multiple-xss-on-pandorafms-7-0-ng-744-64b244b8523c

[Exploit, Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/158389/Pandora-FMS-7.0-NG-746-Script-Insertion-Code-Execution.htmlPoC

[Release Notes, Vendor Advisory] https://pandorafms.com/downloads/whats-new-747-EN.pdf

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/48707

Scores

CVSS v3 9.0

EPSS 0.0578

EPSS Percentile 90.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (1)

pandorafms/pandora_fms 7.0_ng - 746

Published Jul 13, 2020

Tracked Since Feb 18, 2026