CVE-2021-46678 - OpenCVE

A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the service name field.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Pandorafms	Pandora Fms

Configuration 1 [-]

cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*

References

Link	Resource
https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/	Vendor Advisory
https://www.incibe.es/en/cve-assignment-publication/coordinated-cves	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ARTICA

Published: 2022-02-21T00:00:00

Updated: 2022-08-05T15:26:35

Reserved: 2022-02-08T00:00:00

Link: CVE-2021-46678

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-05T16:15:11.093

Modified: 2022-08-07T03:16:12.007

Link: CVE-2021-46678

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"platforms": ["all"], "product": "Pandora FMS", "vendor": "Artica PFMS", "versions": [{"lessThanOrEqual": "v756", "status": "affected", "version": "v756", "versionType": "custom"}]}], "datePublic": "2022-02-21T00:00:00", "descriptions": [{"lang": "en", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the service name field."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-05T15:26:35", "orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "ARTICA"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}], "solutions": [{"lang": "en", "value": "This vulnerability has been solved in the 757 version of Pandora FMS."}], "source": {"discovery": "INTERNAL"}, "title": "Vulnerability XSS in service form name field", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pandorafms.com", "DATE_PUBLIC": "2022-02-21T11:00:00.000Z", "ID": "CVE-2021-46678", "STATE": "PUBLIC", "TITLE": "Vulnerability XSS in service form name field"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pandora FMS", "version": {"version_data": [{"platform": "all", "version_affected": "<=", "version_name": "v756", "version_value": "v756"}]}}]}, "vendor_name": "Artica PFMS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the service name field."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "refsource": "CONFIRM", "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"name": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves", "refsource": "CONFIRM", "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}]}, "solution": [{"lang": "en", "value": "This vulnerability has been solved in the 757 version of Pandora FMS."}], "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "assignerShortName": "ARTICA", "cveId": "CVE-2021-46678", "datePublished": "2022-02-21T00:00:00", "dateReserved": "2022-02-08T00:00:00", "dateUpdated": "2022-08-05T15:26:35", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*", "matchCriteriaId": "81D6C1CE-F0A0-4FEF-BD10-E7E82E1DC605", "versionEndExcluding": "757", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the service name field."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo XSS en Pandora FMS versiones 756 y anteriores, que permite a un atacante llevar a cabo ejecuciones de c\u00f3digo javascript por medio del campo name del servicio"}], "id": "CVE-2021-46678", "lastModified": "2022-08-07T03:16:12.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.4, "source": "security@pandorafms.com", "type": "Secondary"}]}, "published": "2022-08-05T16:15:11.093", "references": [{"source": "security@pandorafms.com", "tags": ["Vendor Advisory"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"source": "security@pandorafms.com", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}], "sourceIdentifier": "security@pandorafms.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@pandorafms.com", "type": "Secondary"}]}