CVE-2022-1648 MEDIUM

CVE-2022-1648: Relative Path Traversal to Remote Code Execution in File Manager

Vendor Artica Pfms

Product Pandora FMS

Weakness CWE-23

Published July 26, 2022

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

5.7/10

Attack vector Physical

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

Pandora FMS v7.0NG.760 and below allows a relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to a Remote Code Execution with running application privilege.

Key dates

02Disclosure timeline

July 26, 2022 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-1648 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/23.html

Related vulnerabilities

04Related CVE

CVE-2026-8073 Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP CVE-2021-4459 SMA: Directory Traversal in Sunny Boy <3.10.27.R CVE-2022-23531 Arbitrary file write when scanning a specially-crafted local PyPI package CVE-2025-10249 Slider Revolution <= 6.7.37 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Read CVE-2021-29488 Creation of files outside the Download Folder through malicious PAR2 files