CVE-2022-47373

MEDIUM

Pandora FMS < 766 - Reflected Cross-Site Scripting via Username Parameter in Forget Password Functionality

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-47373. PoCs published by Argonx21.

AI-analyzed exploit summary This repository contains a writeup describing a reflected XSS vulnerability in PandoraFMS <= v766. The exploit involves injecting an XSS payload into the search functionality in the module library section, which executes when a victim interacts with the crafted URL.

Description

Reflected Cross Site Scripting in Search Functionality of Module Library in Pandora FMS Console v766 and lower. This vulnerability arises on the forget password functionality in which parameter username does not proper input validation/sanitization thus results in executing malicious JavaScript payload.

Exploits (1)

nomisec WRITEUP
by Argonx21 · poc
https://github.com/Argonx21/CVE-2022-47373

This repository contains a writeup describing a reflected XSS vulnerability in PandoraFMS <= v766. The exploit involves injecting an XSS payload into the search functionality in the module library section, which executes when a victim interacts with the crafted URL.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PandoraFMS <= v766
Auth required
Prerequisites: Access to the module library section · Victim interaction with a crafted URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.4
EPSS 0.0034
EPSS Percentile 25.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352 CWE-79
Status published
Products (1)
pandorafms/pandora_fms < 766
Published Feb 15, 2023
Tracked Since Feb 18, 2026