Gaurish Kauthankar

**Name of the Vulnerable Software and Affected Versions** Pandora FMS versions prior to v767 **Description** A Cross-site Scripting (XSS) issue in the Special Days component allows an attacker to steal the session cookie value of admin users with little user interaction. **Recommendations** For versions prior to v767, update to version v767 or later to resolve the issue. As a temporary workaround, consider restricting access to the Special Days component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pandora FMS Console versions prior to v767 **Description** The issue arises from a Reflected Cross Site Scripting vulnerability in the Search Functionality of the Module Library. This vulnerability is triggered by the forget password functionality, where the `username` parameter lacks proper input validation and sanitization, allowing the execution of malicious JavaScript payloads. **Recommendations** For versions prior to v767, update to a version that includes proper input validation and sanitization for the `username` parameter in the forget password functionality. As a temporary workaround, consider restricting access to the forget password functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat (affected versions not specified) Pandora FMS version 7.65 **Description** The issue concerns errors in synchronization when using a shared resource in Apache Tomcat, potentially allowing a remote attacker to gain unauthorized access to protected information. Additionally, there is a stored cross-site scripting issue in Pandora FMS, specifically in the network maps editing functionality. This could allow an attacker to modify a network map to include an XSS payload, which would be executed if an admin user clicks on the edited map, potentially leading to the theft of the admin user's cookie. **Recommendations** For Apache Tomcat, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Pandora FMS version 7.65, consider restricting access to the network maps editing functionality until a patch is available, and avoid clicking on edited network maps to minimize the risk of exploitation.