CVE-2020-11749

CRITICAL

Pandora FMS 7.0_ng-746 - Stored Cross-Site Scripting in SNMP Device Scan View

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-11749. PoCs published by AppleBois.

AI-analyzed exploit summary This exploit leverages a persistent XSS vulnerability in PandoraFMS 7.0 NG 746 by injecting malicious JavaScript into SNMP configuration fields. The JavaScript then creates a malicious plugin to execute a reverse shell command, achieving remote code execution.

Description

Pandora FMS 7.0 NG <= 746 suffers from Multiple XSS vulnerabilities in different browser views. A network administrator scanning a SNMP device can trigger a Cross Site Scripting (XSS), which can run arbitrary code to allow Remote Code Execution as root or apache2.

Exploits (1)

exploitdb WORKING POC
by AppleBois · textwebappsphp
https://www.exploit-db.com/exploits/48707

This exploit leverages a persistent XSS vulnerability in PandoraFMS 7.0 NG 746 by injecting malicious JavaScript into SNMP configuration fields. The JavaScript then creates a malicious plugin to execute a reverse shell command, achieving remote code execution.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: PandoraFMS 7.0 NG 746
Auth required
Prerequisites: Access to modify SNMP configuration · Network access to the PandoraFMS server · Valid credentials to interact with the PandoraFMS console
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://pandorafms.com/downloads/whats-new-747-EN.pdf
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/48707

Scores

CVSS v3 9.0
EPSS 0.1623
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (1)
pandorafms/pandora_fms 7.0_ng - 746
Published Jul 13, 2020
Tracked Since Feb 18, 2026