56 matches found
CVE-2019-16405
Centreon Web products are affected by CVE-2019-16405 (and related CVE-2019-17501): remote code execution via an administrator who can modify Macro Expression location settings. Affected versions include Centreon Web prior to 2.8.30, 18.10.x prior to 18.10.8, 19.04.x prior to 19.04.5, and 19.10.x ...
CVE-2021-26804
CVE-2021-26804 affects Centreon Web versions 19.10.18, 20.04.8, and 20.10.2. The issue stems from insecure permissions that allow a remote attacker to bypass validation by changing any file extension to ".gif" and uploading it via Administration/Parameters/Images, effectively enabling unauthorize...
CVE-2024-23115
Centreon updateGroups SQL Injection (CVE-2024-23115) allows remote code execution via improper validation of a user-supplied string used to build SQL queries in the updateGroups function. This requires authentication to exploit and can run code in the service account context. Connected sources (V...
CVE-2024-23116
Summary (CVE-2024-23116): Centreon is vulnerable to a SQL Injection in the core function updateLCARelation , caused by improper validation of a user-supplied string used to build SQL queries. This leads to Remote Code Execution in the context of the service account. The vulnerability is documente...
CVE-2024-23119
Centreon insertGraphTemplate SQL Injection leads to Remote Code Execution. The flaw is improper validation of a user-supplied string used to build SQL queries inside insertGraphTemplate, allowing an attacker to run code in the service account. Exploitation requires authentication. Affected Centre...
CVE-2024-23117
CVE-2024-23117 concerns Centreon: the vulnerability is in the updateContactServiceCommands function where user-supplied input is not properly validated before being used to build SQL queries. This leads to a SQL Injection that can execute arbitrary code in the context of the Centreon service acco...
CVE-2024-23118
CVE-2024-23118 describes a SQL Injection in Centreon’s updateContactHostCommands function. The root cause is improper validation of user-supplied input used to build SQL queries, enabling an attacker to execute arbitrary code in the context of the service account. Exploitation requires authentica...
CVE-2024-33852
CVE-2024-33852 describes a SQL Injection in Centreon Web’s Downtime component. Affected versions are Centreon Web 22.10.0–22.10.22, 23.04.0–23.04.18, 23.10.0–23.10.12, and 24.04.0–24.04.2; the issue exists before the listed fixed releases. The root cause is improper input handling that corrupts o...
CVE-2024-53923
CVE-2024-53923 – Centreon Web : Multiple sources (Red Hat, Snyk, CVE listings, PT Security, etc.) confirm a SQL injection in the media-upload form that can be triggered by a user with high privileges. Affected versions include Centreon Web 23.04.x (to 23.04.23), 23.10.x (to 23.10.18), 24.04.x (to...
CVE-2019-17107
CVE-2019-17016, -17017, -17022, -17024, -17026 are addressed in Thunderbird upstream: multiple issues including CSS sanitization bypass on pasting, type confusion in XPCVariant.cpp, memory-safety bugs, and related advisory notes. The connected documents confirm affected product: Thunderbird (and ...
CVE-2024-0637
Centreon updateDirectory SQL Injection Remote Code Execution vulnerability affects Centreon installations. The flaw is due to improper validation of a user-supplied string in the updateDirectory function, which is used to build SQL queries. This can allow an attacker to execute arbitrary code in ...
CVE-2024-55573
Centreon centreon-web is affected by SQL injection in the form used to create virtual metrics. Vulnerable versions include 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, and 23.04.x before 23.04.24. The issue is triggered by high-privilege users and requires no user inte...
CVE-2024-5723
Centreon updateServiceHost exposes a SQL Injection that leads to Remote Code Execution. The flaw occurs in updateServiceHost due to improper validation of a user-supplied string used to build SQL queries, allowing an attacker to run code in the apache user context after authentication is required...
CVE-2018-11587
CVE-2018-11587 describes remote code execution in Centreon 3.4.6/Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in centreonGraph.class.php.根据公开资料,影响组件为 Centreon/Centreon Web,漏洞根本原因是对 Virtual Metric 表单中 RPN 值的处理不安全,导致攻击者网络可远程执行代码,影响程度为高/关键。建议升级到包含修复的版本(如 Centreon Web 2.8.24,相关发布 ...
CVE-2023-51633
Centreon (Centreon) sysName Cross-Site Scripting Remote Code Execution vulnerability (CVE-2023-51633) stems from improper validation of input in the SNMP sysName OID, enabling arbitrary code execution with the service account when a user-provided value is processed. Exploitation requires user int...
CVE-2024-32501
CVE-2024-32501 is a SQL Injection vulnerability in Centreon Web via updateServiceHost. Affected versions: Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. Root cause cited across sources: improper input validation in updateService...
CVE-2019-16406
Centreon Web 19.04.4 is affected. Weak permissions in the OVA/OVF files enable privilege escalation via a Trojan horse Centreon-autodisco executable launched by cron, granting higher privileges. The Red Hat and CVE references corroborate the same issue across multiple feeds. No additional exploit...
CVE-2024-33854
Centreon Web contains a SQL Injection in the Graph Template component. Affected versions are 22.10.0–22.10.22, 23.04.0–23.04.18, 23.10.0–23.10.12, and 24.04.0–24.04.2; fixed in 22.10.23, 23.04.19, 23.10.13, and 24.04.3 respectively. Root cause is lack of protection of the SQL query structure. Rem...
CVE-2019-17108
CVE-2019-17108 affects Centreon Web (prior to version 2.8.28). The vulnerability is a Local File Inclusion in brokerPerformance.php, caused by lack of proper validation of client-side data (e.g., filename), which can let an attacker disclose information and potentially trigger a stored XSS on a u...
CVE-2024-39841
Centreon Web is affected by a SQL Injection in the service configuration via the testServiceExistence() function. The issue permits manipulation of SQL queries due to improper input handling, impacting Centreon Web versions 22.10.0–22.10.22, 23.04.0–23.04.18, 23.10.0–23.10.12, and 24.04.0–24.04.2...
CVE-2025-3872
CVE-2025-3872 is an SQL Injection vulnerability in Centreon centreon-web (User configuration form modules) that allows a high-privilege user to elevate to administrator by tampering the contact form payload. The issue affects Centreon Web versions listed by PT-Security (22.10.0–27, 23.04.0–23.04....
CVE-2024-5725
Centreon vulnerability CVE-2024-5725 is a SQL Injection in the initCurveList function that allows remote code execution. The flaw arises from improper validation of a user-supplied string used to build SQL queries, enabling an attacker to run arbitrary code in the context of the apache user. Auth...
CVE-2019-15298
Centreon Web (version 19.04.3 and earlier) is affected by an authenticated command injection in include/configuration/configObject/traps-mibs/formMibs.php. The mnftr parameter is not properly filtered when submitting a file via the mibs management form, allowing injected Linux commands to be exec...
CVE-2025-4649
Centreon web contains an ACL-related privilege management flaw that can lead to privilege escalation when viewing the event logs. Affected versions are: 24.10.3–24.10.4, 24.04.09–24.04.10, 23.10.19–23.10.21, and 23.04.24–23.04.26. Remediation is to upgrade to 24.10.4+ for the 24.10 line, 24.04.10...
CVE-2024-33853
Summary: CVE-2024-33853 affects Centreon Web’s Timeperiod component. The vulnerability is a SQL Injection in Centreon Web versions prior to 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. The issue stems from how SQL queries are constructed (lack of input v...
CVE-2019-17106
CVE-2019-17106 affects Centreon Web up to version 2.8.29. The issue is disclosure of external components’ passwords, which authenticated attackers can use to move laterally to external components. The available connected records repeat the same description without adding new technical details (no...
CVE-2018-11589
CVE-2018-11589 affects Centreon 3.4.6 and Centreon Web 2.8.23, with multiple SQL injections via parameters such as viewLogs.php (searchU), GetXmlHost.php (id), ExportCSVServiceData.php (chartId or searchU), and listComponentTemplates/listMetrics (searchCurve/host_id). The issue allows arbitrary S...
CVE-2025-4647
CVE-2025-4647 is a Centreon Web vulnerability: improper neutralization of input during web page generation leading to Reflected XSS. A user with elevated privileges can bypass sanitization by replacing the content of an existing SVG. Affected versions are Centreon Web 24.10.0–before 24.10.5, 24.0...
CVE-2018-11588
Centreon 3.4.6 with Centreon Web 2.8.23 is vulnerable to a stored XSS via an authenticated user injecting a payload into the username or command description. The issue affects files controlling menu and command configuration (www/include/core/menu/menu.php and www/include/configuration/configObje...
CVE-2018-21020
Centreon Web component centreonAuth.class.php contains a PHP type juggling flaw that, before version 2.8.27, can allow an attacker to bypass authentication. The issue is documented across multiple sources (CVE-2018-21020; affected product Centreon Web pre-2.8.27). Impact is authentication bypass ...
CVE-2018-21023
Centreon Web ≤ 2.8.28 contains a code execution vulnerability in getStats.php via the ns_id parameter. The issue arises from how externally entered data is used to construct a code segment, enabling authenticated attackers to execute arbitrary code. Affected product/version details and CVE descri...
CVE-2019-15299
Centreon Web (up to version 19.04.3) contains an authentication bypass issue: after a user changes their password on their profile page, the contact_autologin_key field in the database is set to blank instead of NULL. This behavior enables partial bypass of authentication. The available connected...
CVE-2025-4646
Centreon Web (API Token creation form modules) is affected by CVE-2025-4646: an Improper Privilege Management vulnerability that can enable privilege escalation. The issue exists in Centreon Web versions 24.04.0 up to, but not including, 24.04.10 and 24.10.0 up to, but not including, 24.10.4. Roo...
CVE-2025-4648
Centreon web is affected by a reflected XSS vulnerability (CVE-2025-4648) where the content of an uploaded SVG file is not properly validated. A user with elevated privileges can inject JavaScript by altering a SVG media during submission. Affected versions include Centreon web 22.10.0–22.10.29, ...
CVE-2018-21021
Summary of CVE-2018-21021 : Multiple sources confirm a SQL injection vulnerability in Centreon Web (Centreon/Merethis) prior to version 2.8.27. The issue is triggered via the host_id parameter in img_gantt.php, allowing an attacker to inject and potentially execute arbitrary SQL commands. Exploit...
CVE-2019-15300
The CVE-2019-15300 issue affects Centreon Web up to version 19.04.3. It is an authenticated SQL injection vulnerability in the page include/Administration/parameters/ldap/xml/ldap_host.php, where the arId parameter is not properly filtered before being concatenated into the SQL query. This leads ...
CVE-2026-2751
CVE-2026-2751 affects Centreon Web on Central Server (Linux) in the Service Dependencies module. The root cause is a Blind SQL Injection due to unsanitized array keys during deletion of Service Dependencies. Affected versions are Centreon Web before 25.10.8, 24.10.20, and 24.04.24. The vulnerabil...
CVE-2018-21022
Centreon Web vulnerability CVE-2018-21022: The affected component is makeXML_ListServices.php in Centreon Web, with the root cause being a SQL injection via the host_id parameter. Versions prior to 2.8.28 are affected. Impact is that an attacker could inject SQL commands through the host_id value...
CVE-2019-17105
Centreon Web prior to 2.8.27 is affected by CVE-2019-17105 where the token generator in index.php is predictable. The issue is documented as a predictable token generator, enabling potential token guessing that could enable unauthorized access or session-related abuse. Connected sources also desc...
CVE-2025-6791
Centreon Web’s Monitoring event logs module is affected by an SQL Injection due to improper neutralization of special elements in an SQL command. An authenticated, low-privilege attacker can modify HTTP requests to insert payloads into the database. Affected Centreon Web versions: 23.10.0–23.10.2...
CVE-2025-10023
Centreon Infra Monitoring (Services Meta-services modules) exposes a Stored XSS in Web Page Generation due to improper input neutralization. Affected versions include 23.10.0–23.10.26, 24.04.0–24.04.16, and 24.10.0–24.10.9. The issue requires elevated privileges and user interaction to exploit, w...
CVE-2025-8430
The vulnerability CVE-2025-8430 affects Centreon Infra Monitoring, specifically the Commands Connectors configuration modules. It is a Stored XSS arising from improper neutralization of input during web page generation, exploitable by users with elevated privileges. Affected versions are Infra Mo...
CVE-2025-54892
Centreon CVE-2025-54892 is a stored XSS in the Centreon Infra Monitoring SNMP traps group configuration module. The issue arises from improper input neutralization during web page generation, allowing a user with elevated privileges to inject scripts. Affected versions include 24.10.0–24.10.12, 2...
CVE-2025-5946
Centreon Infra Monitoring has a high-severity OS Command Injection vulnerability (CVE-2025-5946) affecting the poller reload feature. A user with high privileges on the Centreon Web UI can inject commands via the broker engine reload parameter, triggering potential remote code execution. Public d...
CVE-2025-8459
Centreon Infra Monitoring is affected by a stored XSS vulnerability (CVE-2025-8459) due to improper neutralization of input during web page generation. Affects multiple branches: 24.10.0–24.10.12, 24.04.0–24.04.17, and 23.10.0–23.10.27. The issue allows stored XSS in the Recurrent Downtimes page,...
CVE-2025-4650
Centreon Web SQL Injection (CVE-2025-4650) affects Centreon Web via the Meta Service indicator page. The root cause is improper neutralization of special elements in an SQL command, enabling a high-privilege attacker to perform a SQLi without user interaction. Affected versions include web 23.10....
CVE-2025-5965
Centreon Infra Monitoring is affected by an OS Command Injection in the backup configuration when a high-privilege user appends custom instructions. The root cause is improper neutralization of special elements used in OS commands. Affected versions include Infra Monitoring 25.10.0–25.10.1 (befor...
CVE-2025-8428
CVE-2025-8428 is a Stored XSS in Centreon Infra Monitoring (HTTP Loader widget modules) caused by improper input neutralization during web page generation. The issue affects Centreon Infra Monitoring versions: 24.10.0–24.10.12, 24.04.0–24.04.17, and 23.10.0–23.10.27. Exploitation could allow an a...
CVE-2025-8429
CVE-2025-8429 corresponds to a Stored XSS in Centreon Infra Monitoring (ACL Action access configuration modules) caused by improper neutralization of input during web page generation. Affected versions are Centreon Infra Monitoring 23.10.0–23.10.28, 24.04.0–24.04.18, and 24.10.0–24.10.13. Potenti...
CVE-2025-13056
Summary: CVE-2025-13056 is a stored XSS vulnerability in Centreon Infra Monitoring, specifically in the Administration ACL menu configuration modules . The issue arises from ** Improper Neutralization of Input During Web Page Generation**, allowing stored scripts to execute in the context of user...