CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40043
https://notcve.org/view.php?id=CVE-2022-40043
26 Sep 2022 — Centreon v20.10.18 was discovered to contain a SQL injection vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. Una comprobación insuficiente de entradas no confiables en DevTools en Google Chrome en Chrome OS versiones anteriores a 105.0.5195.125, permitía a un atacante que convencía a un usuario de instalar una extensión maliciosa omitir las restricciones de navegación por medio de una página HTML diseñada. • https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-36194 – Centreon 22.04.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-36194
25 Aug 2022 — Centreon 22.04.0 is vulnerable to Cross Site Scripting (XSS) from the function Pollers > Broker Configuration by adding a crafted payload into the name parameter. Centreon versión 22.04.0, es vulnerable a un ataque de tipo Cross Site Scripting (XSS) desde la función Pollers ) Broker Configuration al añadir una carga útil diseñada en el parámetro name Centreon version 22.04.0 suffers from a persistent cross site scripting vulnerability. • http://packetstormsecurity.com/files/168149/Centreon-22.04.0-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34871 – Centreon Poller Resource SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-34871
07 Jul 2022 — This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. • https://docs.centreon.com/docs/21.10/releases/centreon-core • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34872 – Centreon Virtual Metrics SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-34872
07 Jul 2022 — This vulnerability allows remote attackers to disclose sensitive information on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of Virtual Metrics. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. • https://docs.centreon.com/docs/21.10/releases/centreon-core • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 1CVE-2020-22345
https://notcve.org/view.php?id=CVE-2020-22345
18 Aug 2021 — /graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabase_path parameter. El archivo /graphStatus/displayServiceStatus.php en Centreon versión 19.10.8, permite a atacantes remotos ejecutar comandos arbitrarios del Sistema Operativo por medio de metacaracteres shell en el parámetro RRDdatabase_path. • https://engindemirbilek.github.io/centreon-19.10-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-37558
https://notcve.org/view.php?id=CVE-2021-37558
03 Aug 2021 — A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/confi... • https://github.com/centreon/centreon/pull/9796 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 1CVE-2021-37557
https://notcve.org/view.php?id=CVE-2021-37557
03 Aug 2021 — A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter. Una vulnerabilidad de inyección SQL en la generación de imágenes en Centreon versiones anteriores a 20.04.14, 20.10.8 y 21.04.2, permite a atacantes remotos autenticados (pero con pocos privilegios) ejecutar comandos SQL arbitrarios por med... • https://github.com/centreon/centreon/pull/9787 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 1CVE-2021-37556
https://notcve.org/view.php?id=CVE-2021-37556
03 Aug 2021 — A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters. Una vulnerabilidad de inyección SQL en la exportación de informes en Centreon versiones anteriores a 20.04.14, 20.10.8 y 21.04.2, permite a atacantes remotos autenticados (pero con pocos privilegios) ejecutar comandos SQL arb... • https://github.com/centreon/centreon/pull/9781 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28053
https://notcve.org/view.php?id=CVE-2021-28053
16 Jul 2021 — An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. A SQL injection vulnerability in "Configuration > Users > Contacts / Users" allows remote authenticated users to execute arbitrary SQL commands via the Additional Information parameters. Se ha detectado un problema en Centreon-Web in Centreon Platform versión 20.10.0. Una vulnerabilidad de inyección SQL en "Configuration ) Users ) Contacts / Users" permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios por medio de los ... • https://docs.centreon.com/current/en • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-28054
https://notcve.org/view.php?id=CVE-2021-28054
16 Jul 2021 — An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. A Stored Cross-Site Scripting (XSS) issue in "Configuration > Hosts" allows remote authenticated users to inject arbitrary web script or HTML via the Alias parameter. Se ha detectado un problema en Centreon-Web en Centreon Platform versión 20.10.0. Un problema de tipo Cross-Site Scripting (XSS) almacenado en "Configuración ) Hosts" permite a usuarios remotos autenticados inyectar script web o HTML arbitrario por medio del parámetro Alias • https://docs.centreon.com/current/en • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •