CVE-2010-4279
02.12.2010, 17:15
The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter.Enginsight
| Vendor | Product | Version |
|---|---|---|
| artica | pandora_fms | 𝑥 ≤ 3.1 |
| artica | pandora_fms | 1.2 |
| artica | pandora_fms | 1.3 |
| artica | pandora_fms | 1.3:beta |
| artica | pandora_fms | 1.3:beta1 |
| artica | pandora_fms | 1.3:beta2 |
| artica | pandora_fms | 1.3:beta3 |
| artica | pandora_fms | 1.3.1 |
| artica | pandora_fms | 2.0 |
| artica | pandora_fms | 2.0:beta |
| artica | pandora_fms | 2.1 |
| artica | pandora_fms | 2.1.1 |
| artica | pandora_fms | 3.0 |
| artica | pandora_fms | 3.0:rc1 |
| artica | pandora_fms | 3.0:rc2 |
| artica | pandora_fms | 3.1:rc1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References