Description
Artica Pandora FMS through 7.42 is vulnerable to remote PHP code execution because of an Unrestricted Upload Of A File With A Dangerous Type issue in the File Manager. An attacker can create a (or use an existing) directory that is externally accessible to store PHP files. The filename and the exact path is known by the attacker, so it is possible to execute PHP code in the context of the application. The vulnerability is exploitable only with Administrator access.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://k4m1ll0.com/cve-2020-7935.html
Scores
CVSS v3
7.2
EPSS
0.0044
EPSS Percentile
63.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
artica/pandora_fms
< 7.42
Published
Mar 23, 2020
Tracked Since
Feb 18, 2026