CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21022
https://notcve.org/view.php?id=CVE-2018-21022
makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter. El archivo makeXML_ListServices.php en Centreon Web versiones anteriores a 2.8.28, permite a atacantes realizar inyecciones SQL por medio del parámetro host_id. • http://www.openwall.com/lists/oss-security/2019/10/09/2 https://github.com/centreon/centreon/pull/7087 https://www.openwall.com/lists/oss-security/2019/10/08/1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21021
https://notcve.org/view.php?id=CVE-2018-21021
img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter. El archivo img_gantt.php en Centreon Web versiones anteriores a 2.8.27, permite a atacantes realizar inyecciones SQL por medio del parámetro host_id. • http://www.openwall.com/lists/oss-security/2019/10/09/2 https://github.com/centreon/centreon/pull/7086 https://www.openwall.com/lists/oss-security/2019/10/08/1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21020
https://notcve.org/view.php?id=CVE-2018-21020
In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to bypass authentication mechanisms in place. En casos muy raros, una vulnerabilidad de tipo juggling de PHP en el archivo centreonAuth.class.php en Centreon Web versiones anteriores a 2.8.27, permite a atacantes omitir los mecanismos de autenticación establecidos. • http://www.openwall.com/lists/oss-security/2019/10/09/2 https://github.com/centreon/centreon/pull/7084 https://www.openwall.com/lists/oss-security/2019/10/08/1 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16194
https://notcve.org/view.php?id=CVE-2019-16194
SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php. Unas vulnerabilidades de inyección SQL en Centreon versiones hasta 19.04, permiten ataques por medio del parámetro svc_id en el archivo include/tracking/status/Services/xml/makeXMLForOneService.php. • https://github.com/centreon/centreon/pull/7862 https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 34%CPEs: 1EXPL: 5CVE-2019-13024 – Centreon 19.04 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-13024
Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands). Centreon versiones 18.x anteriores a 18.10.6, versiones 19.x anteriores a 19.04.3, y Centreon web anterior a versión 2.8.29, permite al atacante ejecutar comandos del sistema arbitrarios mediante el uso del valor "init_script"-"Monitoring Engine Binary" en el archivo main.get.php para insertar un comando arbitrario en la base de datos, y ejecutándolo para llamar la página vulnerable www/include/configuration/configGenerate/xml/generateFiles.php (que pasa el valor insertado a la base de datos a shell_exec sin sanearlo, lo que permite ejecutar comandos arbitrarios del sistema). Centreon version 19.04 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/47069 https://github.com/mhaskar/CVE-2019-13024 http://packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.6.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04/centreon-19.04.3.html https://gist.github.com/mhaskar/c4255f6cf45b19b8a852c780f50576da https://github.com/centreon/centreon/pull/7694 h • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •