CVE-2019-20224

Name of the Vulnerable Software and Affected Versions Pandora FMS versions prior to 7.0 NG 742

Description The issue allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip src parameter in an "index.php?operation/netflow/nf live view" request. This is due to a problem in the netflow get stats function in functions netflow.php.

Recommendations For versions prior to 7.0 NG 742, update to Pandora FMS 7.0 NG 742 to resolve the issue. As a temporary workaround, consider restricting access to the netflow get stats function in functions netflow.php to minimize the risk of exploitation. Avoid using the ip src parameter in the affected API endpoint until the issue is resolved.