Pandora FMS 4.0.2 System Audit Log XSS

by Adam Baldwin

Summary

A persistent (stored) cross-site scripting vulnerability exists in the Pandora FMS 4.0.2 System Audit Log. The username field on login page is not properly encoded when displayed on the system audit log.

No authentication is required to inject the payload into Pandora FMS, however an authenticated user must visit the vulnerable page. Should the Pandora FMS server not be public, injection of the payload can also be accomplished using CSRF as the login form has no CSRF validation.

Example exploitation

We have received no response from the vendor on this vulnerability.