CVE-2022-26310 HIGH

CVE-2022-26310: Improper Authorization in User Management to Vertical Privilege Escalation

Vendor Artica Pfms

Product Pandora FMS

Weakness CWE-285

Published August 1, 2022

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Pandora FMS v7.0NG.760 and below allows an improper authorization in User Management where any authenticated user with access to the User Management module could create, modify or delete any user with full admin privilege. The impact could lead to a vertical privilege escalation to access the privileges of a higher-level user or typically an admin user.

Key dates

02Disclosure timeline

August 1, 2022 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-26310

Related vulnerabilities

04Related CVE

CVE-2024-39415 An unauthorized user can export the Tax Sales Report CVE-2021-28506 An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device. CVE-2017-0894 CVE-2025-13808 orionsec orion-ops User Profile UserController.java update improper authorization CVE-2026-2107 yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization