CVE-2014-125115

An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.

CVSS

No CVSS.

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_fms_sqli.rb
https://web.archive.org/web/20140304121149/http://blog.pandorafms.org/?p=2041
https://web.archive.org/web/20140331231237/http://pandorafms.com/downloads/whats_new_5-SP3.pdf
https://www.exploit-db.com/exploits/35380
https://www.vulncheck.com/advisories/pandora-fms-default-creds-sqli-rce

Configurations

No configuration.

History

25 Jul 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-25 16:15

Updated : 2025-07-25 16:15

NVD link : CVE-2014-125115

Mitre link : CVE-2014-125115

JSON object : View

Products Affected

No product.

CWE

No CWE.

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_fms_sqli.rb", "name": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_fms_sqli.rb", "tags": [], "refsource": ""}, {"url": "https://web.archive.org/web/20140304121149/http://blog.pandorafms.org/?p=2041", "name": "https://web.archive.org/web/20140304121149/http://blog.pandorafms.org/?p=2041", "tags": [], "refsource": ""}, {"url": "https://web.archive.org/web/20140331231237/http://pandorafms.com/downloads/whats_new_5-SP3.pdf", "name": "https://web.archive.org/web/20140331231237/http://pandorafms.com/downloads/whats_new_5-SP3.pdf", "tags": [], "refsource": ""}, {"url": "https://www.exploit-db.com/exploits/35380", "name": "https://www.exploit-db.com/exploits/35380", "tags": [], "refsource": ""}, {"url": "https://www.vulncheck.com/advisories/pandora-fms-default-creds-sqli-rce", "name": "https://www.vulncheck.com/advisories/pandora-fms-default-creds-sqli-rce", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-125115", "ASSIGNER": "disclosure@vulncheck.com"}}, "impact": {}, "publishedDate": "2025-07-25T16:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-07-25T16:15Z"}