CVE-2010-4282 - OpenCVE

Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Artica	Pandora Fms

Configuration 1 [-]

OR	cpe:2.3:a:artica:pandora_fms::::::::
	cpe:2.3:a:artica:pandora_fms:1.2:::::::*
	cpe:2.3:a:artica:pandora_fms:1.3:::::::*
	cpe:2.3:a:artica:pandora_fms:1.3:beta::::::
	cpe:2.3:a:artica:pandora_fms:1.3:beta1::::::
	cpe:2.3:a:artica:pandora_fms:1.3:beta2::::::
	cpe:2.3:a:artica:pandora_fms:1.3:beta3::::::
	cpe:2.3:a:artica:pandora_fms:1.3.1:::::::*
	cpe:2.3:a:artica:pandora_fms:2.0:::::::*
	cpe:2.3:a:artica:pandora_fms:2.0:beta::::::
	cpe:2.3:a:artica:pandora_fms:2.1:::::::*
	cpe:2.3:a:artica:pandora_fms:2.1.1:::::::*
	cpe:2.3:a:artica:pandora_fms:3.0:::::::*
	cpe:2.3:a:artica:pandora_fms:3.0:rc1::::::
	cpe:2.3:a:artica:pandora_fms:3.0:rc2::::::
	cpe:2.3:a:artica:pandora_fms:3.1:rc1::::::

References

Link	Resource
http://osvdb.org/69543
http://osvdb.org/69544
http://osvdb.org/69545
http://seclists.org/fulldisclosure/2010/Nov/326
http://secunia.com/advisories/42347
http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download	Patch
http://www.exploit-db.com/exploits/15643	Exploit
http://www.securityfocus.com/archive/1/514939/100/0/threaded
http://www.securityfocus.com/bid/45112	Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2010-12-02T17:00:00

Updated: 2018-10-10T18:57:01

Reserved: 2010-11-17T00:00:00

Link: CVE-2010-4282

JSON object: View

NVD Information

Status : Modified

Published: 2010-12-02T17:15:00.597

Modified: 2018-10-10T20:07:59.367

Link: CVE-2010-4282

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-10-13T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-10T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "69545", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/69545"}, {"name": "42347", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/42347"}, {"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"}, {"name": "69543", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/69543"}, {"name": "45112", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/45112"}, {"name": "69544", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/69544"}, {"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2010/Nov/326"}, {"name": "15643", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/15643"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-4282", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "69545", "refsource": "OSVDB", "url": "http://osvdb.org/69545"}, {"name": "42347", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/42347"}, {"name": "20101130 Pandora FMS Authentication Bypass and Multiple Input Validation Vulnerabilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"}, {"name": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download", "refsource": "CONFIRM", "url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"}, {"name": "69543", "refsource": "OSVDB", "url": "http://osvdb.org/69543"}, {"name": "45112", "refsource": "BID", "url": "http://www.securityfocus.com/bid/45112"}, {"name": "69544", "refsource": "OSVDB", "url": "http://osvdb.org/69544"}, {"name": "20101130 Pandora FMS Authentication Bypass and Multiple\tInput Validation Vulnerabilities", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2010/Nov/326"}, {"name": "15643", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/15643"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-4282", "datePublished": "2010-12-02T17:00:00", "dateReserved": "2010-11-17T00:00:00", "dateUpdated": "2018-10-10T18:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A972A8C1-4418-457A-B333-31CBFEA87F43", "versionEndIncluding": "3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "E5F58083-665E-40CE-94E8-AF46BD41E2B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "C4153C42-C38B-4DF8-9C24-2060FB18F370", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta:*:*:*:*:*:*", "matchCriteriaId": "2544AF2E-0BA3-409F-9AF4-7B42751C8E56", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta1:*:*:*:*:*:*", "matchCriteriaId": "95734EBF-826B-43B9-B790-111329AB8581", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta2:*:*:*:*:*:*", "matchCriteriaId": "34FB9160-6109-4C68-B8C2-E9FF5FA1E783", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:1.3:beta3:*:*:*:*:*:*", "matchCriteriaId": "A7220D9B-1FAB-4265-90D9-87630AE906B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "F912B082-3834-462C-956E-5003E5CDF624", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE24C15F-4653-46CB-9C8F-6DE942154B65", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:2.0:beta:*:*:*:*:*:*", "matchCriteriaId": "1464A86D-222B-49BD-A4F5-9AE5AD57E016", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "CAF92EC0-0616-4F17-9588-70C22C69A579", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "69446BEE-365D-49B5-9AEC-268AA93D8E2A", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD917088-E151-4EC1-94AE-2D3F2F3A600B", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8BBEA8F8-E1FB-4C62-91FD-67EBD5006F96", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:3.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "98406056-AD7A-4A54-80B8-280E197F90ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:artica:pandora_fms:3.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "B32CC8A6-A253-4DD2-867C-DCE583F073E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de salto de directorio en FMS anterior a v3.1.1 permite a atacantes remotos incluir y ejecutar ficheros locales de su elecci\u00f3n mediante (1) el par\u00e1metro page para ajax.php o (2) el par\u00e1metro id para general/pandora_help.php, y permite a atacantes remotos incluir, ejecutar, crear, modificar, o borrar ficheros locales de su elecci\u00f3n mediante (3) el par\u00e1metro layout para operation/agentes/networkmap.php."}], "id": "CVE-2010-4282", "lastModified": "2018-10-10T20:07:59.367", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-12-02T17:15:00.597", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/69543"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/69544"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/69545"}, {"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2010/Nov/326"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/42347"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://sourceforge.net/projects/pandora/files/Pandora%20FMS%203.1/Final%20version%20%28Stable%29/pandorafms_console-3.1_security_patch_13Oct2010.tar.gz/download"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/15643"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/514939/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/45112"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}