CVE-2021-46681 - OpenCVE

A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Artica	Pandora Fms

Configuration 1 [-]

cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*

References

Link	Resource
https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/	Vendor Advisory
https://www.incibe.es/en/cve-assignment-publication/coordinated-cves	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ARTICA

Published: 2022-02-21T00:00:00

Updated: 2022-08-05T15:25:33

Reserved: 2022-02-08T00:00:00

Link: CVE-2021-46681

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-05T16:15:11.300

Modified: 2022-08-08T17:40:02.020

Link: CVE-2021-46681

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"platforms": ["all"], "product": "Pandora FMS", "vendor": "Artica PFMS", "versions": [{"lessThanOrEqual": "v756", "status": "affected", "version": "v756", "versionType": "custom"}]}], "datePublic": "2022-02-21T00:00:00", "descriptions": [{"lang": "en", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-05T15:25:33", "orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "ARTICA"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}], "solutions": [{"lang": "en", "value": "This vulnerability has been solved in the 757 version of Pandora FMS."}], "source": {"discovery": "INTERNAL"}, "title": "Vulnerability XSS in module mass operation name field", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pandorafms.com", "DATE_PUBLIC": "2022-02-21T11:00:00.000Z", "ID": "CVE-2021-46681", "STATE": "PUBLIC", "TITLE": "Vulnerability XSS in module mass operation name field"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pandora FMS", "version": {"version_data": [{"platform": "all", "version_affected": "<=", "version_name": "v756", "version_value": "v756"}]}}]}, "vendor_name": "Artica PFMS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "refsource": "CONFIRM", "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"name": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves", "refsource": "CONFIRM", "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}]}, "solution": [{"lang": "en", "value": "This vulnerability has been solved in the 757 version of Pandora FMS."}], "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "assignerShortName": "ARTICA", "cveId": "CVE-2021-46681", "datePublished": "2022-02-21T00:00:00", "dateReserved": "2022-02-08T00:00:00", "dateUpdated": "2022-08-05T15:25:33", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*", "matchCriteriaId": "C58D4E1F-7D31-498D-A392-54777B121E02", "versionEndExcluding": "757", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo XSS en Pandora FMS versiones 756 y posteriores, que permite a un atacante llevar a cabo ejecuciones de c\u00f3digo javascript por medio del campo name de operaci\u00f3n masiva del m\u00f3dulo"}], "id": "CVE-2021-46681", "lastModified": "2022-08-08T17:40:02.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.4, "source": "security@pandorafms.com", "type": "Secondary"}]}, "published": "2022-08-05T16:15:11.300", "references": [{"source": "security@pandorafms.com", "tags": ["Vendor Advisory"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"source": "security@pandorafms.com", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}], "sourceIdentifier": "security@pandorafms.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@pandorafms.com", "type": "Secondary"}]}