CVE-2021-46681 - Vulnerability Details - OpenCVE

A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00283.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Artica PFMS

Pandora FMS

affected

Version	Status	Constraints
`v756`	affected	≤ v756

Configuration 1 [-]

cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors	Products
Artica Subscribe	Pandora Fms Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2021-33357	A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field.

Fixes

Solution

This vulnerability has been solved in the 757 version of Pandora FMS.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
https://www.incibe.es/en/cve-assignment-publication/coordinated-cves

History

Tue, 02 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: ARTICA

Published: 2022-08-05T15:25:33.950Z

Updated: 2026-06-02T13:55:43.696Z

Reserved: 2022-02-08T00:00:00.000Z

Link: CVE-2021-46681

Vulnrichment

Updated: 2024-08-04T05:17:41.525Z

NVD

Status : Modified

Published: 2022-08-05T16:15:11.300

Modified: 2024-11-21T06:34:35.337

Link: CVE-2021-46681

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"platforms": ["all"], "product": "Pandora FMS", "vendor": "Artica PFMS", "versions": [{"lessThanOrEqual": "v756", "status": "affected", "version": "v756", "versionType": "custom"}]}], "datePublic": "2022-02-21T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-05T15:25:33.000Z", "orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "ARTICA"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}], "solutions": [{"lang": "en", "value": "This vulnerability has been solved in the 757 version of Pandora FMS."}], "source": {"discovery": "INTERNAL"}, "title": "Vulnerability XSS in module mass operation name field", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@pandorafms.com", "DATE_PUBLIC": "2022-02-21T11:00:00.000Z", "ID": "CVE-2021-46681", "STATE": "PUBLIC", "TITLE": "Vulnerability XSS in module mass operation name field"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pandora FMS", "version": {"version_data": [{"platform": "all", "version_affected": "<=", "version_name": "v756", "version_value": "v756"}]}}]}, "vendor_name": "Artica PFMS"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "refsource": "CONFIRM", "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"name": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves", "refsource": "CONFIRM", "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}]}, "solution": [{"lang": "en", "value": "This vulnerability has been solved in the 757 version of Pandora FMS."}], "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:17:41.525Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-26T20:06:56.286860Z", "id": "CVE-2021-46681", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-02T13:55:43.696Z"}}]}, "cveMetadata": {"assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "assignerShortName": "ARTICA", "cveId": "CVE-2021-46681", "datePublished": "2022-08-05T15:25:33.950Z", "dateReserved": "2022-02-08T00:00:00.000Z", "dateUpdated": "2026-06-02T13:55:43.696Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:17:41.525Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-46681", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-26T20:06:56.286860Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-02T13:55:39.004Z"}}], "cna": {"title": "Vulnerability XSS in module mass operation name field", "source": {"discovery": "INTERNAL"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Artica PFMS", "product": "Pandora FMS", "versions": [{"status": "affected", "version": "v756", "versionType": "custom", "lessThanOrEqual": "v756"}], "platforms": ["all"]}], "solutions": [{"lang": "en", "value": "This vulnerability has been solved in the 757 version of Pandora FMS."}], "datePublic": "2022-02-21T00:00:00.000Z", "references": [{"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "ARTICA", "dateUpdated": "2022-08-05T15:25:33.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, "source": {"discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"platform": "all", "version_name": "v756", "version_value": "v756", "version_affected": "<="}]}, "product_name": "Pandora FMS"}]}, "vendor_name": "Artica PFMS"}]}}, "solution": [{"lang": "en", "value": "This vulnerability has been solved in the 757 version of Pandora FMS."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "name": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/", "refsource": "CONFIRM"}, {"url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves", "name": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-46681", "STATE": "PUBLIC", "TITLE": "Vulnerability XSS in module mass operation name field", "ASSIGNER": "security@pandorafms.com", "DATE_PUBLIC": "2022-02-21T11:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-46681", "state": "PUBLISHED", "dateUpdated": "2026-06-02T13:55:43.696Z", "dateReserved": "2022-02-08T00:00:00.000Z", "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "datePublished": "2022-08-05T15:25:33.950Z", "assignerShortName": "ARTICA"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*", "matchCriteriaId": "C58D4E1F-7D31-498D-A392-54777B121E02", "versionEndExcluding": "757", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo XSS en Pandora FMS versiones 756 y posteriores, que permite a un atacante llevar a cabo ejecuciones de c\u00f3digo javascript por medio del campo name de operaci\u00f3n masiva del m\u00f3dulo"}], "id": "CVE-2021-46681", "lastModified": "2024-11-21T06:34:35.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 3.4, "source": "security@pandorafms.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-05T16:15:11.300", "references": [{"source": "security@pandorafms.com", "tags": ["Vendor Advisory"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"source": "security@pandorafms.com", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/cve-assignment-publication/coordinated-cves"}], "sourceIdentifier": "security@pandorafms.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@pandorafms.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}