6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
48.2%
Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability. The vulnerability is found within the menuXML.php
file inside the ‘menu
’ parameter. It was reported that by injecting a payload after the menu parameter, for example ’ AND SLEEP(5) AND 'meHL'='meHL
, the web application hung for 5 seconds.
A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.
Update
The vendor has stated that this vulnerability has been addressed in Centreon 2.4.0. Users are advised to update to Centreon 2.4.0 or newer.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user’s host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.
856892
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: November 09, 2012 Updated: December 07, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 6.3 | AV:N/AC:M/Au:S/C:C/I:N/A:N |
Temporal | 4.8 | E:U/RL:U/RC:UC |
Environmental | 1.3 | CDP:L/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Tom Gregory of Spentera for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2012-5967 |
---|---|
Date Public: | 2012-12-12 Date First Published: |