CVE-2010-4280

Name of the Vulnerable Software and Affected Versions Pandora FMS versions prior to 3.1.1

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via two specific API endpoints: "operation/agentes/ver agente" in "ajax.php" using the id group parameter, or "operation/agentes/estado agente" in "index.php" using the group id parameter. The vulnerability is related to the "operation/agentes/estado agente.php" file.

Recommendations For versions prior to 3.1.1, update to version 3.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "ajax.php" and "index.php" files, specifically to the "operation/agentes/ver agente" and "operation/agentes/estado agente" actions, until the update can be applied. Avoid using the id group and group id parameters in the affected API endpoints until the issue is resolved.