CVE-2019-17108
https://notcve.org/view.php?id=CVE-2019-17108
Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user. La inclusión de archivos locales en el archivo brokerPerformance.php en Centreon Web versiones anteriores a 2.8.28, permite a atacantes revelar información o realizar un ataque de tipo XSS almacenado sobre un usuario. • http://www.openwall.com/lists/oss-security/2019/10/09/2 https://github.com/centreon/centreon/pull/7101 https://www.openwall.com/lists/oss-security/2019/10/08/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-17107
https://notcve.org/view.php?id=CVE-2019-17107
minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect. El archivo minPlayCommand.php en Centreon Web versiones anteriores a 2.8.27, permite a atacantes autenticados ejecutar código arbitrario por medio del parámetro command_hostaddress. NOTA: algunas fuentes han listado el CVE-2019-17017 para esto, pero eso es incorrecto. • http://www.openwall.com/lists/oss-security/2019/10/09/2 https://github.com/centreon/centreon/pull/7099 https://www.openwall.com/lists/oss-security/2019/10/08/1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-21023
https://notcve.org/view.php?id=CVE-2018-21023
getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter. El archivo getStats.php en Centreon Web versiones anteriores a 2.8.28, permite a atacantes autenticados ejecutar código arbitrario por medio del parámetro ns_id. • http://www.openwall.com/lists/oss-security/2019/10/09/2 https://github.com/centreon/centreon/pull/7083 https://github.com/centreon/centreon/pull/7271 https://www.openwall.com/lists/oss-security/2019/10/08/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •