CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-42427 – Centreon Contact Group SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-42427
This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the contact groups configuration page. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. • https://www.zerodayinitiative.com/advisories/ZDI-22-1398 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42428 – Centreon Poller Broker SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-42428
This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. • https://www.zerodayinitiative.com/advisories/ZDI-22-1399 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40044
https://notcve.org/view.php?id=CVE-2022-40044
Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. Se ha detectado que Centreon versión v20.10.18, contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del parámetro esc_name (Nombre de escalamiento) en Configuration/Notifications/Escalations. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una inyección de una carga útil diseñada. • https://github.com/centreon/centreon/releases https://www.hakaioffensivesecurity.com/centreon-sqli-and-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40043
https://notcve.org/view.php?id=CVE-2022-40043
Centreon v20.10.18 was discovered to contain a SQL injection vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. Una comprobación insuficiente de entradas no confiables en DevTools en Google Chrome en Chrome OS versiones anteriores a 105.0.5195.125, permitía a un atacante que convencía a un usuario de instalar una extensión maliciosa omitir las restricciones de navegación por medio de una página HTML diseñada. • https://github.com/centreon/centreon/releases https://www.hakaioffensivesecurity.com/centreon-sqli-and-xss-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34871 – Centreon Poller Resource SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-34871
This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. • https://docs.centreon.com/docs/21.10/releases/centreon-core https://www.zerodayinitiative.com/advisories/ZDI-22-953 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •