CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-42428 – Centreon Poller Broker SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-42428
This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. • https://www.zerodayinitiative.com/advisories/ZDI-22-1399 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41142 – Centreon Poller Resource SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-41142
This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to configure poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. • https://github.com/centreon/centreon/security/policy https://www.zerodayinitiative.com/advisories/ZDI-22-1326 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39988 – Centreon 22.04.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-39988
A cross-site scripting (XSS) vulnerability in Centreon 22.04.0 allows attackers to execute arbitrary web script or HTML via a crafted payload injected into the Service>Templates service_alias parameter. Una vulnerabilidad de tipo cross-site scripting (XSS) en Centreon versión 22.04.0, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en el parámetro Service)Templates service_alias Centreon version 22.04.0 suffers from a persistent cross site scripting vulnerability. • http://packetstormsecurity.com/files/168585/Centreon-22.04.0-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40044
https://notcve.org/view.php?id=CVE-2022-40044
Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. Se ha detectado que Centreon versión v20.10.18, contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del parámetro esc_name (Nombre de escalamiento) en Configuration/Notifications/Escalations. Esta vulnerabilidad permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una inyección de una carga útil diseñada. • https://github.com/centreon/centreon/releases https://www.hakaioffensivesecurity.com/centreon-sqli-and-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-40043
https://notcve.org/view.php?id=CVE-2022-40043
Centreon v20.10.18 was discovered to contain a SQL injection vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. Una comprobación insuficiente de entradas no confiables en DevTools en Google Chrome en Chrome OS versiones anteriores a 105.0.5195.125, permitía a un atacante que convencía a un usuario de instalar una extensión maliciosa omitir las restricciones de navegación por medio de una página HTML diseñada. • https://github.com/centreon/centreon/releases https://www.hakaioffensivesecurity.com/centreon-sqli-and-xss-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •