Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.

A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.

A remote file inclusion vulnerability exists in Artica Pandora FMS 742, exploitable by the lowest privileged user.

PandoraFMS 742 suffers from multiple XSS vulnerabilities, affecting the Agent Management, Report Builder, and Graph Builder components. An authenticated user can inject dangerous content into a data store that is later read and included in dynamic content.