CVE-2022-47372 - OpenCVE

Stored cross-site scripting vulnerability in the Create event section in Pandora FMS Console v766 and lower. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Pandorafms	Pandora Fms

Configuration 1 [-]

cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*

References

Link	Resource
https://gist.github.com/damodarnaik/576c39162fce7da458d2f41f1cbe99e8
https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-02-15T00:00:00

Updated: 2023-10-18T11:07:35.780Z

Reserved: 2022-12-13T00:00:00

Link: CVE-2022-47372

JSON object: View

NVD Information

Status : Modified

Published: 2023-02-15T04:15:10.987

Modified: 2023-10-18T12:15:08.997

Link: CVE-2022-47372

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-47372", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "assignerShortName": "INCIBE", "dateUpdated": "2023-10-18T11:07:35.780Z", "dateReserved": "2022-12-13T00:00:00", "datePublished": "2023-02-15T00:00:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["all"], "product": "Pandora FMS", "vendor": "Artica PFMS", "versions": [{"lessThanOrEqual": "v766", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2022-12-13T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Stored cross-site scripting vulnerability in the Create event section in Pandora FMS Console v766 and lower. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload.</p>"}], "value": "Stored cross-site scripting vulnerability in the Create event section in Pandora FMS Console v766 and lower. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-18T11:07:35.780Z"}, "references": [{"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"tags": ["related"], "url": "https://gist.github.com/damodarnaik/576c39162fce7da458d2f41f1cbe99e8"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>fixed in v767</p>"}], "value": "fixed in v767\n\n"}], "source": {"defect": ["2022-47372"], "discovery": "EXTERNAL"}, "title": "Stored cross-site scripting vulnerability in create event section", "x_generator": {"engine": "Vulnogram 0.0.9"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FC63B93-A766-461F-9877-4D51E1865E84", "versionEndIncluding": "766", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Stored cross-site scripting vulnerability in the Create event section in Pandora FMS Console v766 and lower. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a site or passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de Cross-Site Scripting almacenada en la secci\u00f3n Crear evento en la Consola de Pandora FMS v766 e inferiores. Un atacante suele explotar esta vulnerabilidad inyectando cargas \u00fatiles XSS en p\u00e1ginas populares de un sitio o pasando un enlace a una v\u00edctima, enga\u00f1\u00e1ndola para que vea la p\u00e1gina que contiene la carga \u00fatil XSS almacenada."}], "id": "CVE-2022-47372", "lastModified": "2023-10-18T12:15:08.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.5, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-02-15T04:15:10.987", "references": [{"source": "cve-coordination@incibe.es", "url": "https://gist.github.com/damodarnaik/576c39162fce7da458d2f41f1cbe99e8"}, {"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "cve-coordination@incibe.es", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}