CVE-2022-47372
📋 TL;DR
This stored cross-site scripting vulnerability in Pandora FMS allows attackers to inject malicious scripts into the Create event section. When users view the compromised page, the scripts execute in their browser context, potentially stealing session cookies or performing actions as the victim. Organizations running Pandora FMS Console v766 or earlier are affected.
💻 Affected Systems
- Pandora FMS Console
📦 What is this software?
Pandora Fms by Pandorafms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access to Pandora FMS, pivot to internal systems, and potentially compromise the entire monitoring infrastructure.
Likely Case
Attackers steal user session cookies to gain unauthorized access to the Pandora FMS console, potentially modifying monitoring configurations or accessing sensitive system information.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the Create event section. Public proof-of-concept demonstrates the injection technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v767 or later
Vendor Advisory: https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Restart Required: Yes
Instructions:
1. Backup current Pandora FMS installation and database. 2. Download and install Pandora FMS v767 or later from official vendor site. 3. Follow vendor upgrade documentation. 4. Restart Pandora FMS services. 5. Verify functionality post-upgrade.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize event creation inputs
Requires code modification to /var/www/html/pandora_console/include/functions_events.php or similar event handling files
Output Encoding
allApply proper HTML encoding to all user-controlled data displayed in the web interface
Modify event display templates to use htmlspecialchars() or equivalent encoding
🧯 If You Can't Patch
- Restrict access to the Create event functionality to only trusted administrators
- Implement a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check Pandora FMS version via web interface or console. If version is 766 or lower, system is vulnerable.Check Version:
grep 'version' /var/www/html/pandora_console/include/config.php | head -1Verify Fix Applied:
After upgrade, verify version is 767 or higher and test event creation with basic XSS payloads like <script>alert('test')</script> to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual event creation patterns
- Multiple failed XSS attempts in web server logs
- Suspicious characters in event creation requests
Network Indicators:
- HTTP requests containing script tags or JavaScript in event creation parameters
SIEM Query:
source="pandora_access.log" AND ("<script" OR "javascript:" OR "onload=" OR "onerror=") AND uri_path="/ajax.php" AND parameters="*op_eventos*"