CVE-2023-4677 HIGH

CVE-2023-4677: Unauthenticated Admin Account Takeover Via Cron Log File Backups

Vendor Pandora Fms
Product Pandora FMS
Weakness CWE-287 · Improper authentication
Published November 23, 2023
Last update December 2, 2024

CVSS base score

7.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

Cron log backup files contain administrator session IDs. It is trivial for any attacker who can reach the Pandora FMS Console to scrape the cron logs directory for cron log backups. The contents of these log files can then be abused to authenticate to the application as an administrator. This issue affects Pandora FMS <= 772.

Key dates

02Disclosure timeline

November 23, 2023 CVE published
December 2, 2024 Record updated