CVE-2024-35306 - OpenCVE

OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact Low

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Pandora Fms	Pandora Fms

No data.

No data.

References

Link	Providers
https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/

History

No history.

MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published: 2024-06-10T14:30:36.784Z

Updated: 2024-08-02T03:07:46.944Z

Reserved: 2024-05-16T17:38:35.343Z

Link: CVE-2024-35306

Vulnrichment

Updated: 2024-06-10T17:38:40.523Z

NVD

Status : Awaiting Analysis

Published: 2024-06-10T15:15:51.700

Modified: 2024-06-10T18:06:22.600

Link: CVE-2024-35306

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35306", "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "state": "PUBLISHED", "assignerShortName": "PandoraFMS", "dateReserved": "2024-05-16T17:38:35.343Z", "datePublished": "2024-06-10T14:30:36.784Z", "dateUpdated": "2024-08-02T03:07:46.944Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["all"], "product": "Pandora FMS", "vendor": "Pandora FMS", "versions": [{"lessThan": "777", "status": "affected", "version": "700", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Aleksey Solovev (Positive Technologies)"}], "datePublic": "2024-06-10T14:28:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777."}], "value": "OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables.\u00a0This issue affects Pandora FMS: from 700 through <777."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "RED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/AU:Y/R:U/RE:L/U:Red", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "PandoraFMS", "dateUpdated": "2024-06-10T14:30:36.784Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Fixed v777"}], "value": "Fixed v777"}], "source": {"discovery": "EXTERNAL"}, "title": "OS Command injection in Ajax PHP files through HTTP Request", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "pandora_fms", "product": "pandora_fms", "cpes": ["cpe:2.3:a:pandora_fms:pandora_fms:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "700", "status": "affected", "lessThan": "777", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-10T17:34:28.554257Z", "id": "CVE-2024-35306", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T17:42:02.806Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.944Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35306", "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "state": "PUBLISHED", "assignerShortName": "PandoraFMS", "dateReserved": "2024-05-16T17:38:35.343Z", "datePublished": "2024-06-10T14:30:36.784Z", "dateUpdated": "2024-06-10T17:42:02.806Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["all"], "product": "Pandora FMS", "vendor": "Pandora FMS", "versions": [{"lessThan": "777", "status": "affected", "version": "700", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Aleksey Solovev (Positive Technologies)"}], "datePublic": "2024-06-10T14:28:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables. This issue affects Pandora FMS: from 700 through <777."}], "value": "OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables.\u00a0This issue affects Pandora FMS: from 700 through <777."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "RED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/AU:Y/R:U/RE:L/U:Red", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "PandoraFMS", "dateUpdated": "2024-06-10T14:30:36.784Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Fixed v777"}], "value": "Fixed v777"}], "source": {"discovery": "EXTERNAL"}, "title": "OS Command injection in Ajax PHP files through HTTP Request", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35306", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-10T17:34:28.554257Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pandora_fms:pandora_fms:*:*:*:*:*:*:*:*"], "vendor": "pandora_fms", "product": "pandora_fms", "versions": [{"status": "affected", "version": "700", "lessThan": "777", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T17:38:40.523Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OS Command injection in Ajax PHP files via HTTP Request, allows to execute system commands by exploiting variables.\u00a0This issue affects Pandora FMS: from 700 through <777."}, {"lang": "es", "value": "La inyecci\u00f3n de comandos del sistema operativo en archivos PHP Ajax a trav\u00e9s de una solicitud HTTP, permite ejecutar comandos del sistema explotando variables. Este problema afecta a Pandora FMS: desde 700 hasta <777."}], "id": "CVE-2024-35306", "lastModified": "2024-06-10T18:06:22.600", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "ADJACENT", "automatable": "YES", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "RED", "recovery": "USER", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:Red", "version": "4.0", "vulnerabilityResponseEffort": "LOW", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security@pandorafms.com", "type": "Secondary"}]}, "published": "2024-06-10T15:15:51.700", "references": [{"source": "security@pandorafms.com", "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "sourceIdentifier": "security@pandorafms.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@pandorafms.com", "type": "Secondary"}]}