CVE-2022-43980 : There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the

There is a stored cross-site scripting vulnerability in Pandora FMS v765 in the network maps editing functionality. An attacker could modify a network map, including on purpose the name of an XSS payload. Once created, if a user with admin privileges clicks on the edited network maps, the XSS payload will be executed. The exploitation of this vulnerability could allow an atacker to steal the value of the admin user´s cookie.

Published 2023-01-27 22:15:09

Updated 2023-02-22 00:15:11

Source Spanish National Cybersecurity Institute, S.A. (INCIBE)

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)

Products affected by CVE-2022-43980

Pandorafms » Pandora Fms
Versions before (<) 766
cpe:2.3:a:pandorafms:pandora_fms:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-43980

EPSS FAQ

0.66%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 69 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-43980

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.2	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N	0.9	4.2	Spanish National Cybersecurity Institute, S.A. (INCIBE)
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: Low Availability: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-43980

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Assigned by: cve-coordination@incibe.es (Secondary)

References for CVE-2022-43980

https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/

Pandora FMS Common Vulnerabilities and Exposures
Vendor Advisory

CVEs referencing this url
https://github.com/Argonx21/CVE-2022-43980

GitHub - Argonx21/CVE-2022-43980: Stored Cross Site Scripting Vulnerability in the network maps edit functionality

Jump to

Vulnerability Details : CVE-2022-43980

Products affected by CVE-2022-43980

Exploit prediction scoring system (EPSS) score for CVE-2022-43980

CVSS scores for CVE-2022-43980

CWE ids for CVE-2022-43980

References for CVE-2022-43980