PT-2023-14420 · Unknown · Pandora Fms

Published

2023-01-27

Updated

2023-06-27

CVE-2022-43978

CVSS v3.1

5.6

Medium

Vector

AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Pandora FMS version 7.64

Description The issue is related to improper authentication. The application checks for a valid session when a user is not attempting to log in. A static secret in the generatePublicHash function allows an attacker with knowledge of a valid session to bypass authentication checks.

Recommendations For Pandora FMS version 7.64, consider disabling the generatePublicHash function as a temporary workaround until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Using Hardcoded Credentials

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798CWE-287

Related Identifiers

CVE-2022-43978

Affected Products

Pandora Fms

PT-2023-14420 · Unknown · Pandora Fms

CVE-2022-43978

Weakness Enumeration

Related Identifiers

Affected Products

References · 4