CVE-2010-4282 in Pandora FMS
Summary
by MITRE
Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/24/2025
The vulnerability described in CVE-2010-4282 represents a critical directory traversal issue affecting Pandora FMS versions prior to 3.1.1, exposing the system to remote code execution and arbitrary file manipulation attacks. This vulnerability stems from insufficient input validation in multiple script files, creating pathways for malicious actors to access and manipulate local system resources through carefully crafted HTTP requests. The affected components include ajax.php, general/pandora_help.php, and operation/agentes/networkmap.php, each presenting distinct attack vectors that collectively weaken the application's security posture.
The technical flaw manifests through improper sanitization of user-supplied input parameters, specifically the page, id, and layout parameters. When these parameters are processed without adequate validation, attackers can manipulate file paths to traverse directories and access files outside the intended application scope. This vulnerability directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The flaw allows attackers to include local files through the page parameter in ajax.php, execute arbitrary code through the id parameter in general/pandora_help.php, and perform file operations including creation, modification, and deletion via the layout parameter in networkmap.php.
The operational impact of this vulnerability extends far beyond simple information disclosure, as it enables full system compromise through remote code execution capabilities. Attackers can leverage these vulnerabilities to gain unauthorized access to sensitive system resources, potentially leading to complete system takeover, data exfiltration, and persistent backdoor establishment. The ability to create, modify, or delete arbitrary local files provides attackers with persistent access and the capability to establish footholds within the target environment. This vulnerability particularly affects organizations using Pandora FMS for network monitoring and management, where the compromise of such systems can lead to widespread network disruption and security breaches.
The attack vectors described in this vulnerability align with several techniques documented in the MITRE ATT&CK framework, specifically covering privilege escalation and persistence mechanisms through file manipulation. The vulnerability's exploitation requires minimal prerequisites and can be automated, making it particularly dangerous in environments where Pandora FMS is deployed without proper network segmentation or additional security controls. Organizations should prioritize immediate remediation through the official 3.1.1 patch release, which implements proper input validation and parameter sanitization. Additional mitigations include implementing web application firewalls, restricting network access to affected components, and conducting thorough security assessments of all Pandora FMS installations to identify potential exploitation attempts. The vulnerability underscores the critical importance of input validation and proper access controls in web applications, particularly those handling sensitive operational data in network monitoring contexts.