by Adam Baldwin
A persistent (stored) cross-site scripting vulnerability exists in the Pandora FMS 4.0.2 System Audit Log. The username field on login page is not properly encoded when displayed on the system audit log.
No authentication is required to inject the payload into Pandora FMS, however an authenticated user must visit the vulnerable page. Should the Pandora FMS server not be public, injection of the payload can also be accomplished using CSRF as the login form has no CSRF validation.
- Navigate to your pandora fms management interface
- Enter in a payload for the username and try and log in; username: <script>alert(1)</script>
- Pandora user navigates to the security audit log https://pandora.example.com/index.php?login=1&sec=glog&sec2=godmode/admin_access_logs
We have received no response from the vendor on this vulnerability.