Lucene search
K
CentreonCentreon Web

56 matches found

CVE
CVE
added 2019/11/21 5:35 p.m.90 views

CVE-2019-16405

Centreon Web products are affected by CVE-2019-16405 (and related CVE-2019-17501): remote code execution via an administrator who can modify Macro Expression location settings. Affected versions include Centreon Web prior to 2.8.30, 18.10.x prior to 18.10.8, 19.04.x prior to 19.04.5, and 19.10.x ...

9CVSS7.2AI score0.27002EPSS
CVE
CVE
added 2021/05/04 4:49 p.m.86 views

CVE-2021-26804

CVE-2021-26804 affects Centreon Web versions 19.10.18, 20.04.8, and 20.10.2. The issue stems from insecure permissions that allow a remote attacker to bypass validation by changing any file extension to ".gif" and uploading it via Administration/Parameters/Images, effectively enabling unauthorize...

6.5CVSS6.5AI score0.01189EPSS
CVE
CVE
added 2024/04/01 9:47 p.m.76 views

CVE-2024-23115

Centreon updateGroups SQL Injection (CVE-2024-23115) allows remote code execution via improper validation of a user-supplied string used to build SQL queries in the updateGroups function. This requires authentication to exploit and can run code in the service account context. Connected sources (V...

7.2CVSS7.5AI score0.67493EPSS
CVE
CVE
added 2024/04/01 9:47 p.m.76 views

CVE-2024-23116

Summary (CVE-2024-23116): Centreon is vulnerable to a SQL Injection in the core function updateLCARelation , caused by improper validation of a user-supplied string used to build SQL queries. This leads to Remote Code Execution in the context of the service account. The vulnerability is documente...

7.2CVSS7.5AI score0.53411EPSS
CVE
CVE
added 2024/04/01 9:48 p.m.72 views

CVE-2024-23119

Centreon insertGraphTemplate SQL Injection leads to Remote Code Execution. The flaw is improper validation of a user-supplied string used to build SQL queries inside insertGraphTemplate, allowing an attacker to run code in the service account. Exploitation requires authentication. Affected Centre...

8.8CVSS9.2AI score0.01371EPSS
CVE
CVE
added 2024/04/01 9:47 p.m.68 views

CVE-2024-23117

CVE-2024-23117 concerns Centreon: the vulnerability is in the updateContactServiceCommands function where user-supplied input is not properly validated before being used to build SQL queries. This leads to a SQL Injection that can execute arbitrary code in the context of the Centreon service acco...

7.2CVSS7.5AI score0.53411EPSS
CVE
CVE
added 2024/04/01 9:48 p.m.68 views

CVE-2024-23118

CVE-2024-23118 describes a SQL Injection in Centreon’s updateContactHostCommands function. The root cause is improper validation of user-supplied input used to build SQL queries, enabling an attacker to execute arbitrary code in the context of the service account. Exploitation requires authentica...

7.2CVSS7.5AI score0.53411EPSS
CVE
CVE
added 2024/08/23 12:0 a.m.68 views

CVE-2024-33852

CVE-2024-33852 describes a SQL Injection in Centreon Web’s Downtime component. Affected versions are Centreon Web 22.10.0–22.10.22, 23.04.0–23.04.18, 23.10.0–23.10.12, and 24.04.0–24.04.2; the issue exists before the listed fixed releases. The root cause is improper input handling that corrupts o...

9.1CVSS8.4AI score0.00488EPSS
CVE
CVE
added 2025/01/23 12:0 a.m.68 views

CVE-2024-53923

CVE-2024-53923 – Centreon Web : Multiple sources (Red Hat, Snyk, CVE listings, PT Security, etc.) confirm a SQL injection in the media-upload form that can be triggered by a user with high privileges. Affected versions include Centreon Web 23.04.x (to 23.04.23), 23.10.x (to 23.10.18), 24.04.x (to...

9.1CVSS8AI score0.004EPSS
CVE
CVE
added 2019/10/08 12:24 p.m.66 views

CVE-2019-17107

CVE-2019-17016, -17017, -17022, -17024, -17026 are addressed in Thunderbird upstream: multiple issues including CSS sanitization bypass on pasting, type confusion in XPCVariant.cpp, memory-safety bugs, and related advisory notes. The connected documents confirm affected product: Thunderbird (and ...

8.8CVSS8.9AI score0.0357EPSS
CVE
CVE
added 2024/04/01 9:45 p.m.64 views

CVE-2024-0637

Centreon updateDirectory SQL Injection Remote Code Execution vulnerability affects Centreon installations. The flaw is due to improper validation of a user-supplied string in the updateDirectory function, which is used to build SQL queries. This can allow an attacker to execute arbitrary code in ...

8.8CVSS9.1AI score0.72319EPSS
CVE
CVE
added 2025/01/23 12:0 a.m.64 views

CVE-2024-55573

Centreon centreon-web is affected by SQL injection in the form used to create virtual metrics. Vulnerable versions include 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, and 23.04.x before 23.04.24. The issue is triggered by high-privilege users and requires no user inte...

9.1CVSS7.7AI score0.0109EPSS
CVE
CVE
added 2024/08/21 4:14 p.m.62 views

CVE-2024-5723

Centreon updateServiceHost exposes a SQL Injection that leads to Remote Code Execution. The flaw occurs in updateServiceHost due to improper validation of a user-supplied string used to build SQL queries, allowing an attacker to run code in the apache user context after authentication is required...

8.8CVSS9.2AI score0.40669EPSS
CVE
CVE
added 2018/06/25 6:0 p.m.61 views

CVE-2018-11587

CVE-2018-11587 describes remote code execution in Centreon 3.4.6/Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in centreonGraph.class.php.根据公开资料,影响组件为 Centreon/Centreon Web,漏洞根本原因是对 Virtual Metric 表单中 RPN 值的处理不安全,导致攻击者网络可远程执行代码,影响程度为高/关键。建议升级到包含修复的版本(如 Centreon Web 2.8.24,相关发布 ...

9.8CVSS9.7AI score0.04247EPSS
CVE
CVE
added 2024/05/03 2:15 a.m.61 views

CVE-2023-51633

Centreon (Centreon) sysName Cross-Site Scripting Remote Code Execution vulnerability (CVE-2023-51633) stems from improper validation of input in the SNMP sysName OID, enabling arbitrary code execution with the service account when a user-provided value is processed. Exploitation requires user int...

9.6CVSS7.7AI score0.0109EPSS
CVE
CVE
added 2024/08/23 12:0 a.m.60 views

CVE-2024-32501

CVE-2024-32501 is a SQL Injection vulnerability in Centreon Web via updateServiceHost. Affected versions: Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. Root cause cited across sources: improper input validation in updateService...

9.8CVSS8.4AI score0.19187EPSS
CVE
CVE
added 2019/11/21 5:36 p.m.59 views

CVE-2019-16406

Centreon Web 19.04.4 is affected. Weak permissions in the OVA/OVF files enable privilege escalation via a Trojan horse Centreon-autodisco executable launched by cron, granting higher privileges. The Red Hat and CVE references corroborate the same issue across multiple feeds. No additional exploit...

7.8CVSS7.7AI score0.00485EPSS
CVE
CVE
added 2024/08/23 12:0 a.m.59 views

CVE-2024-33854

Centreon Web contains a SQL Injection in the Graph Template component. Affected versions are 22.10.0–22.10.22, 23.04.0–23.04.18, 23.10.0–23.10.12, and 24.04.0–24.04.2; fixed in 22.10.23, 23.04.19, 23.10.13, and 24.04.3 respectively. Root cause is lack of protection of the SQL query structure. Rem...

9.1CVSS8.4AI score0.00488EPSS
CVE
CVE
added 2019/10/08 12:25 p.m.58 views

CVE-2019-17108

CVE-2019-17108 affects Centreon Web (prior to version 2.8.28). The vulnerability is a Local File Inclusion in brokerPerformance.php, caused by lack of proper validation of client-side data (e.g., filename), which can let an attacker disclose information and potentially trigger a stored XSS on a u...

6.1CVSS5.8AI score0.01243EPSS
CVE
CVE
added 2024/08/23 12:0 a.m.57 views

CVE-2024-39841

Centreon Web is affected by a SQL Injection in the service configuration via the testServiceExistence() function. The issue permits manipulation of SQL queries due to improper input handling, impacting Centreon Web versions 22.10.0–22.10.22, 23.04.0–23.04.18, 23.10.0–23.10.12, and 24.04.0–24.04.2...

8.8CVSS8.4AI score0.01133EPSS
CVE
CVE
added 2025/04/24 9:19 a.m.57 views

CVE-2025-3872

CVE-2025-3872 is an SQL Injection vulnerability in Centreon centreon-web (User configuration form modules) that allows a high-privilege user to elevate to administrator by tampering the contact form payload. The issue affects Centreon Web versions listed by PT-Security (22.10.0–27, 23.04.0–23.04....

7.2CVSS7.3AI score0.00339EPSS
CVE
CVE
added 2024/08/21 4:14 p.m.55 views

CVE-2024-5725

Centreon vulnerability CVE-2024-5725 is a SQL Injection in the initCurveList function that allows remote code execution. The flaw arises from improper validation of a user-supplied string used to build SQL queries, enabling an attacker to run arbitrary code in the context of the apache user. Auth...

8.8CVSS9.2AI score0.47648EPSS
CVE
CVE
added 2019/11/27 1:31 p.m.53 views

CVE-2019-15298

Centreon Web (version 19.04.3 and earlier) is affected by an authenticated command injection in include/configuration/configObject/traps-mibs/formMibs.php. The mnftr parameter is not properly filtered when submitting a file via the mibs management form, allowing injected Linux commands to be exec...

8.8CVSS8.8AI score0.26624EPSS
Web
CVE
CVE
added 2025/05/13 11:40 a.m.53 views

CVE-2025-4649

Centreon web contains an ACL-related privilege management flaw that can lead to privilege escalation when viewing the event logs. Affected versions are: 24.10.3–24.10.4, 24.04.09–24.04.10, 23.10.19–23.10.21, and 23.04.24–23.04.26. Remediation is to upgrade to 24.10.4+ for the 24.10 line, 24.04.10...

4.9CVSS6.5AI score0.0031EPSS
CVE
CVE
added 2024/08/23 12:0 a.m.52 views

CVE-2024-33853

Summary: CVE-2024-33853 affects Centreon Web’s Timeperiod component. The vulnerability is a SQL Injection in Centreon Web versions prior to 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. The issue stems from how SQL queries are constructed (lack of input v...

9.1CVSS8.4AI score0.00488EPSS
CVE
CVE
added 2018/06/25 6:0 p.m.51 views

CVE-2018-11589

CVE-2018-11589 affects Centreon 3.4.6 and Centreon Web 2.8.23, with multiple SQL injections via parameters such as viewLogs.php (searchU), GetXmlHost.php (id), ExportCSVServiceData.php (chartId or searchU), and listComponentTemplates/listMetrics (searchCurve/host_id). The issue allows arbitrary S...

9.8CVSS9.9AI score0.02147EPSS
CVE
CVE
added 2019/10/08 12:21 p.m.51 views

CVE-2019-17106

CVE-2019-17106 affects Centreon Web up to version 2.8.29. The issue is disclosure of external components’ passwords, which authenticated attackers can use to move laterally to external components. The available connected records repeat the same description without adding new technical details (no...

6.5CVSS6.2AI score0.01067EPSS
CVE
CVE
added 2025/05/13 9:31 a.m.49 views

CVE-2025-4647

CVE-2025-4647 is a Centreon Web vulnerability: improper neutralization of input during web page generation leading to Reflected XSS. A user with elevated privileges can bypass sanitization by replacing the content of an existing SVG. Affected versions are Centreon Web 24.10.0–before 24.10.5, 24.0...

8.4CVSS8.4AI score0.00238EPSS
CVE
CVE
added 2018/06/25 6:0 p.m.48 views

CVE-2018-11588

Centreon 3.4.6 with Centreon Web 2.8.23 is vulnerable to a stored XSS via an authenticated user injecting a payload into the username or command description. The issue affects files controlling menu and command configuration (www/include/core/menu/menu.php and www/include/configuration/configObje...

5.4CVSS6.3AI score0.01112EPSS
Web
CVE
CVE
added 2019/10/08 12:8 p.m.48 views

CVE-2018-21020

Centreon Web component centreonAuth.class.php contains a PHP type juggling flaw that, before version 2.8.27, can allow an attacker to bypass authentication. The issue is documented across multiple sources (CVE-2018-21020; affected product Centreon Web pre-2.8.27). Impact is authentication bypass ...

7.5CVSS7.6AI score0.01981EPSS
CVE
CVE
added 2019/10/08 12:17 p.m.47 views

CVE-2018-21023

Centreon Web ≤ 2.8.28 contains a code execution vulnerability in getStats.php via the ns_id parameter. The issue arises from how externally entered data is used to construct a code segment, enabling authenticated attackers to execute arbitrary code. Affected product/version details and CVE descri...

8.8CVSS8.8AI score0.02995EPSS
CVE
CVE
added 2020/02/24 12:55 p.m.47 views

CVE-2019-15299

Centreon Web (up to version 19.04.3) contains an authentication bypass issue: after a user changes their password on their profile page, the contact_autologin_key field in the database is set to blank instead of NULL. This behavior enables partial bypass of authentication. The available connected...

8.8CVSS8.6AI score0.01632EPSS
CVE
CVE
added 2025/05/13 9:17 a.m.47 views

CVE-2025-4646

Centreon Web (API Token creation form modules) is affected by CVE-2025-4646: an Improper Privilege Management vulnerability that can enable privilege escalation. The issue exists in Centreon Web versions 24.04.0 up to, but not including, 24.04.10 and 24.10.0 up to, but not including, 24.10.4. Roo...

7.2CVSS6.3AI score0.00377EPSS
CVE
CVE
added 2025/05/13 9:45 a.m.47 views

CVE-2025-4648

Centreon web is affected by a reflected XSS vulnerability (CVE-2025-4648) where the content of an uploaded SVG file is not properly validated. A user with elevated privileges can inject JavaScript by altering a SVG media during submission. Affected versions include Centreon web 22.10.0–22.10.29, ...

8.4CVSS6.3AI score0.00224EPSS
CVE
CVE
added 2019/10/08 12:11 p.m.44 views

CVE-2018-21021

Summary of CVE-2018-21021 : Multiple sources confirm a SQL injection vulnerability in Centreon Web (Centreon/Merethis) prior to version 2.8.27. The issue is triggered via the host_id parameter in img_gantt.php, allowing an attacker to inject and potentially execute arbitrary SQL commands. Exploit...

8.8CVSS8.8AI score0.01836EPSS
CVE
CVE
added 2019/11/27 1:23 p.m.42 views

CVE-2019-15300

The CVE-2019-15300 issue affects Centreon Web up to version 19.04.3. It is an authenticated SQL injection vulnerability in the page include/Administration/parameters/ldap/xml/ldap_host.php, where the arId parameter is not properly filtered before being concatenated into the SQL query. This leads ...

8.8CVSS8.8AI score0.02013EPSS
Web
CVE
CVE
added 2026/02/27 1:33 p.m.40 views

CVE-2026-2751

CVE-2026-2751 affects Centreon Web on Central Server (Linux) in the Service Dependencies module. The root cause is a Blind SQL Injection due to unsanitized array keys during deletion of Service Dependencies. Affected versions are Centreon Web before 25.10.8, 24.10.20, and 24.04.24. The vulnerabil...

9.8CVSS6AI score0.00271EPSS
CVE
CVE
added 2019/10/08 12:14 p.m.39 views

CVE-2018-21022

Centreon Web vulnerability CVE-2018-21022: The affected component is makeXML_ListServices.php in Centreon Web, with the root cause being a SQL injection via the host_id parameter. Versions prior to 2.8.28 are affected. Impact is that an attacker could inject SQL commands through the host_id value...

8.8CVSS8.8AI score0.01836EPSS
CVE
CVE
added 2019/10/08 2:35 p.m.37 views

CVE-2019-17105

Centreon Web prior to 2.8.27 is affected by CVE-2019-17105 where the token generator in index.php is predictable. The issue is documented as a predictable token generator, enabling potential token guessing that could enable unauthorized access or session-related abuse. Connected sources also desc...

5.3CVSS5.3AI score0.01581EPSS
CVE
CVE
added 2025/08/22 6:56 p.m.22 views

CVE-2025-6791

Centreon Web’s Monitoring event logs module is affected by an SQL Injection due to improper neutralization of special elements in an SQL command. An authenticated, low-privilege attacker can modify HTTP requests to insert payloads into the database. Affected Centreon Web versions: 23.10.0–23.10.2...

8.8CVSS7.1AI score0.00308EPSS
CVE
CVE
added 2025/10/27 3:7 p.m.19 views

CVE-2025-10023

Centreon Infra Monitoring (Services Meta-services modules) exposes a Stored XSS in Web Page Generation due to improper input neutralization. Affected versions include 23.10.0–23.10.26, 24.04.0–24.04.16, and 24.10.0–24.10.9. The issue requires elevated privileges and user interaction to exploit, w...

6.2CVSS5.1AI score0.00191EPSS
CVE
CVE
added 2025/10/14 4:54 p.m.19 views

CVE-2025-8430

The vulnerability CVE-2025-8430 affects Centreon Infra Monitoring, specifically the Commands Connectors configuration modules. It is a Stored XSS arising from improper neutralization of input during web page generation, exploitable by users with elevated privileges. Affected versions are Infra Mo...

6.8CVSS5.6AI score0.00191EPSS
CVE
CVE
added 2025/10/14 2:59 p.m.17 views

CVE-2025-54892

Centreon CVE-2025-54892 is a stored XSS in the Centreon Infra Monitoring SNMP traps group configuration module. The issue arises from improper input neutralization during web page generation, allowing a user with elevated privileges to inject scripts. Affected versions include 24.10.0–24.10.12, 2...

6.8CVSS5.1AI score0.00235EPSS
CVE
CVE
added 2025/10/14 2:29 p.m.17 views

CVE-2025-5946

Centreon Infra Monitoring has a high-severity OS Command Injection vulnerability (CVE-2025-5946) affecting the poller reload feature. A user with high privileges on the Centreon Web UI can inject commands via the broker engine reload parameter, triggering potential remote code execution. Public d...

7.2CVSS6.5AI score0.13843EPSS
Web
CVE
CVE
added 2025/10/14 5:11 p.m.17 views

CVE-2025-8459

Centreon Infra Monitoring is affected by a stored XSS vulnerability (CVE-2025-8459) due to improper neutralization of input during web page generation. Affects multiple branches: 24.10.0–24.10.12, 24.04.0–24.04.17, and 23.10.0–23.10.27. The issue allows stored XSS in the Recurrent Downtimes page,...

7.7CVSS5.7AI score0.00225EPSS
CVE
CVE
added 2025/08/22 6:50 p.m.16 views

CVE-2025-4650

Centreon Web SQL Injection (CVE-2025-4650) affects Centreon Web via the Meta Service indicator page. The root cause is improper neutralization of special elements in an SQL command, enabling a high-privilege attacker to perform a SQLi without user interaction. Affected versions include web 23.10....

7.2CVSS7.1AI score0.00381EPSS
CVE
CVE
added 2026/01/05 10:6 a.m.16 views

CVE-2025-5965

Centreon Infra Monitoring is affected by an OS Command Injection in the backup configuration when a high-privilege user appends custom instructions. The root cause is improper neutralization of special elements used in OS commands. Affected versions include Infra Monitoring 25.10.0–25.10.1 (befor...

7.2CVSS6.5AI score0.24817EPSS
CVE
CVE
added 2025/10/14 2:22 p.m.16 views

CVE-2025-8428

CVE-2025-8428 is a Stored XSS in Centreon Infra Monitoring (HTTP Loader widget modules) caused by improper input neutralization during web page generation. The issue affects Centreon Infra Monitoring versions: 24.10.0–24.10.12, 24.04.0–24.04.17, and 23.10.0–23.10.27. Exploitation could allow an a...

6.8CVSS5.7AI score0.00225EPSS
CVE
CVE
added 2025/10/14 3:29 p.m.16 views

CVE-2025-8429

CVE-2025-8429 corresponds to a Stored XSS in Centreon Infra Monitoring (ACL Action access configuration modules) caused by improper neutralization of input during web page generation. Affected versions are Centreon Infra Monitoring 23.10.0–23.10.28, 24.04.0–24.04.18, and 24.10.0–24.10.13. Potenti...

6.8CVSS5AI score0.00191EPSS
CVE
CVE
added 2026/01/05 10:10 a.m.14 views

CVE-2025-13056

Summary: CVE-2025-13056 is a stored XSS vulnerability in Centreon Infra Monitoring, specifically in the Administration ACL menu configuration modules . The issue arises from ** Improper Neutralization of Input During Web Page Generation**, allowing stored scripts to execute in the context of user...

6.8CVSS5.2AI score0.00163EPSS
Total number of security vulnerabilities56