CVE-2010-4281

Name of the Vulnerable Software and Affected Versions Pandora FMS versions prior to 3.1.1

Description The issue concerns an incomplete blacklist vulnerability in the safe url extraclean function within the ajax.php file. This vulnerability allows remote attackers to execute arbitrary PHP code by utilizing a page parameter that contains a UNC share pathname, effectively bypassing the check for the : (colon) character.

Recommendations For versions prior to 3.1.1, update to version 3.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax.php file or disabling the safe url extraclean function until a patch is applied. Avoid using UNC share pathnames in the page parameter of the affected API endpoint until the issue is resolved.