CVE-2014-125115

25.07.2025, 16:15

An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.

SQL Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
VulnCheck	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_fms_sqli.rb

https://web.archive.org/web/20140304121149/http://blog.pandorafms.org/?p=2041

https://web.archive.org/web/20140331231237/http://pandorafms.com/downloads/whats_new_5-SP3.pdf

https://www.exploit-db.com/exploits/35380

https://www.vulncheck.com/advisories/pandora-fms-default-creds-sqli-rce