CVE-2019-20050: OS Command Injection
First published: Thu Jan 30 2020(Updated: )
Pandora FMS ≤ 7.42 suffers from a remote code execution vulnerability. To exploit the vulnerability, an authenticated user should create a new folder with a "tricky" name in the filemanager. The exploit works when the php-fileinfo extension is disabled on the host system. The attacker must include shell metacharacters in the content type.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Artica Pandora FMS | =7.42 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2019-20050.
What is the severity of CVE-2019-20050?
CVE-2019-20050 has a severity rating of high.
Which version of Pandora FMS is affected by CVE-2019-20050?
Pandora FMS version 7.42 is affected by CVE-2019-20050.
How does the vulnerability in Pandora FMS ≤ 7.42 manifest?
The vulnerability allows an authenticated user to exploit a remote code execution vulnerability by creating a folder with a specific name in the filemanager.
Is there a workaround for CVE-2019-20050?
Disabling the php-fileinfo extension on the host system can help mitigate the vulnerability.
- collector/nvd-index
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/artica
- canonical/artica pandora fms
- version/artica pandora fms/7.42