An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.
The mobile/index.php endpoint does not sanitize the loginhash_data parameter — user input is directly concatenated into the SQL query, allowing an attacker to extract the administrator password hash or active session tokens. After gaining administrative access, the File Manager component does not verify the MIME type or extension of uploaded files, allowing the upload of any PHP file (web shell) to a publicly accessible directory. Executing the web shell gives the attacker full control over the server.
An attacker can completely compromise the server — gain remote access to the system shell (RCE), read or modify database data, and then use the server as an entry point for further lateral movement in the network.
Pandora FMS should be updated to version 5.0 SP3 or later, in which the described vulnerabilities have been fixed according to the SP3 release document available in the vendor's references. Until the update is applied, access to the Pandora FMS web interface should be restricted to trusted IP addresses only, and access to the mobile/index.php endpoint should be disabled from the public network.
Pandora FMS version 5.0 SP2 and earlier
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X