This morning, William Costa, one of our Opensource community members, has discovered a new vulnerability in the agents visualization of Pandora FMS 5.1 SP1, that allows the arbitrary execution of HTML/script code that is executed in the context of the user or “victim” browser.

The code injection is done through the parameter “refr” in the page “/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=”, what allows an attacker to send link and choice text write in page.

Our developement team have been put to work to solve this vulnerability and they have solved as quick as possible. Below you can find the links to the corresponding packages for 5.0 and 5.1 version:

Pandora FMS 5.0:

Pandora FMS 5.1:

Do you want to stay updated?

Pandora FMS newsletter, will keep you informed about new releases, plugins, features and integrations. We won't ever give your email to anybody else.

You're now subscribed to Pandora FMS. Thanks!


Download the most comprehensive report on secure monitoring from IDG research