CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-11589
https://notcve.org/view.php?id=CVE-2018-11589
Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php. Múltiples vulnerabilidades de inyección SQL en Centreon 3.4.6, incluyendo Centreon Web 2.8.23, permiten ataques mediante el parámetro searchU en viewLogs.php, el parámetro id en GetXmlHost.php, el parámetro chartId en ExportCSVServiceData.php, el parámetro searchCurve en listComponentTemplates.php o el parámetro host_id en makeXML_ListMetrics.php. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.html https://github.com/centreon/centreon/pull/6250 https://github.com/centreon/centreon/pull/6251 https://github.com/centreon/centreon/pull/6255 https://github.com/centreon/centreon/pull/6256 https://github.com/centreon/centreon/pull/6257 https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 5%CPEs: 2EXPL: 0CVE-2018-11587
https://notcve.org/view.php?id=CVE-2018-11587
There is Remote Code Execution in Centreon 3.4.6 including Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in centreonGraph.class.php. Hay una ejecución remota de código en Centreon 3.4.6, incluyendo Centreon Web 2.8.23 mediante el valor RPN en el formulario Virtual Metric en centreonGraph.class.php. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.html https://github.com/centreon/centreon/pull/6263 https://github.com/centreon/centreon/releases • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-11588
https://notcve.org/view.php?id=CVE-2018-11588
Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php. Centreon 3.4.6 incluyendo Centreon Web 2.8.23 es vulnerable a que un usuario autenticado inyecte una carga útil en la descripción del nombre de usuario o del comando, lo que resulta en Cross-Site Scripting (XSS) persistente. Esto está relacionado con www/include/core/menu/menu.php y www/include/configuration/configObject/command/formArguments.php. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.html https://github.com/centreon/centreon/pull/6259 https://github.com/centreon/centreon/pull/6260 https://github.com/centreon/centreon/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7672
https://notcve.org/view.php?id=CVE-2015-7672
Cross-site scripting (XSS) vulnerability in Centreon 2.6.1 (fixed in Centreon 18.10.0 and Centreon web 2.8.27). Una vulnerabilidad de tipo cross-site scripting (XSS) en Centreon versión 2.6.1 (corregido en Centreon versión 18.10.0 y Centreon web versión 2.8.27). • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.0.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.27.html https://github.com/centreon/centreon/pull/6637 https://github.com/centreon/centreon/pull/6953 https://www.youtube.com/watch?v=sIONzwQAngU • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2015-1560 – Centreon 2.5.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-1560
SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon web 2.7.0) allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/XmlTree/GetXmlTree.php. Una vulnerabilidad de inyección SQL en la función isUserAdmin en el archivo include/common/common-Func.php en Centreon (anteriormente Merethis Centreon) versiones 2.5.4 y anteriores (corregido en Centreon web versión 2.7.0) , permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio del parámetro sid en el archivo include/common/XmlTree/GetXmlTree.php. Merethis Centreon versions 2.5.4 and below suffer from remote SQL injection and command execution vulnerabilities. • https://www.exploit-db.com/exploits/37528 http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html http://www.securityfocus.com/archive/1/535961/100/0/threaded https://forge.centreon.com/projects/centreon/repository/revisions/d14f213b9c60de1bad0b464fd6403c828cf12582 https://github.com/centreon/centreon/commit/668a928f34dc0f67723d3db138c042eb7f979f28#diff-f69d4a3d3d177d024c22419357c1f4f4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •