CRITICAL🇵🇱 Wersja polska

CVE-2014-125115

CVSS 10.0v4.0pub. 2025-07-25upd. 2026-04-15

An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.

🤖 AI Analysis
How it works

The mobile/index.php endpoint does not sanitize the loginhash_data parameter — user input is directly concatenated into the SQL query, allowing an attacker to extract the administrator password hash or active session tokens. After gaining administrative access, the File Manager component does not verify the MIME type or extension of uploaded files, allowing the upload of any PHP file (web shell) to a publicly accessible directory. Executing the web shell gives the attacker full control over the server.

Impact

An attacker can completely compromise the server — gain remote access to the system shell (RCE), read or modify database data, and then use the server as an entry point for further lateral movement in the network.

Mitigation & patch

Pandora FMS should be updated to version 5.0 SP3 or later, in which the described vulnerabilities have been fixed according to the SP3 release document available in the vendor's references. Until the update is applied, access to the Pandora FMS web interface should be restricted to trusted IP addresses only, and access to the mobile/index.php endpoint should be disabled from the public network.

Who is affected

Pandora FMS version 5.0 SP2 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLi
CWE
References