Remote Code Execution Vulnerability in Pandora FMS ≤ 7.42 via Tricky Folder Name and Disabled php-fileinfo Extension

Remote Code Execution Vulnerability in Pandora FMS ≤ 7.42 via Tricky Folder Name and Disabled php-fileinfo Extension

CVE-2019-20050 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a "tricky" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type.

Learn more about our User Device Pen Test.