CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
CVE-2025-4678: Remote Code Execution leads to Command Injection
7.0
CVSS
Description
Improper Neutralization of Special Elements in the chromium_path variable may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
Classification
CVE ID: CVE-2025-4678
CVSS Base Severity: HIGH
CVSS Base Score: 7.0
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/R:U/V:D/RE:M/U:Green
Problem Types
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')Affected Products
Vendor: Pandora FMS
Product: Pandora ITSM
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.57% (probability of being exploited)
EPSS Percentile: 67.45% (scored less or equal to compared to others)
EPSS Date: 2025-06-20 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: total
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2025-4678https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/