CVSS: 9.0EPSS: 44%CPEs: 1EXPL: 1CVE-2020-9463
https://notcve.org/view.php?id=CVE-2020-9463
28 Feb 2020 — Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request. Centreon versión 19.10, permite a usuarios autentificados remotos ejecutar comandos arbitrarios del Sistema Operativo por medio de metacaracteres de shell en el campo server_ip en los datos JSON en una petición de api/internal.php?object=centreon_configuration_remote. • https://code610.blogspot.com/2020/02/postauth-rce-in-centreon-1910.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20327
https://notcve.org/view.php?id=CVE-2019-20327
16 Jan 2020 — Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with root privileges.) Unos permisos no seguros en cwrapper_perl en Centreon Infrastructure Monitoring Software versiones hasta 19.10, permiten a atacantes locales alcanzar privilegios. (cwrapper_perl es un ejecutable setuid que permite la ejecución de scripts Perl con privilegios root). • https://gist.github.com/Diefunction/9237f46b8659a65ab08de8ec9c258139 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-16195
https://notcve.org/view.php?id=CVE-2019-16195
26 Nov 2019 — Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 allows XSS via myAccount alias and name fields. Centreon versiones anteriores a la versión 2.8.30, versiones 18.x anteriores a 18.10.8 y versiones 19.x anteriores a 19.04.5, permite un ataque de tipo XSS por medio de un alias myAccount y campos de nombre. • https://github.com/centreon/centreon/pull/7876 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 1CVE-2019-17501
https://notcve.org/view.php?id=CVE-2019-17501
14 Oct 2019 — Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen). CVE-2019-17501 and CVE-2019-16405 are similar to one another and may be the same. Centreon versión 19.04, permite a atacantes ejecutar comandos arbitrarios del sistema operativo por medio del campo Command Line de main.php?p=60807&type=4 [también se conoce como la pantalla Configuration ) Commands ) Discovery]. • https://gist.github.com/sinfulz/ef49270e245df050af59cc3dd3eefa6b • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21024
https://notcve.org/view.php?id=CVE-2018-21024
08 Oct 2019 — licenseUpload.php in Centreon Web before 2.8.27 allows attackers to upload arbitrary files via a POST request. El archivo licenseUpload.php en Centreon Web versiones anteriores a 2.8.27, permite a atacantes cargar archivos arbitrarios por medio de una petición POST. • http://www.openwall.com/lists/oss-security/2019/10/09/2 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16194
https://notcve.org/view.php?id=CVE-2019-16194
25 Sep 2019 — SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php. Unas vulnerabilidades de inyección SQL en Centreon versiones hasta 19.04, permiten ataques por medio del parámetro svc_id en el archivo include/tracking/status/Services/xml/makeXMLForOneService.php. • https://github.com/centreon/centreon/pull/7862 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 24%CPEs: 1EXPL: 6CVE-2019-13024 – Centreon 19.04 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-13024
01 Jul 2019 — Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands). C... • https://www.exploit-db.com/exploits/47069 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19312
https://notcve.org/view.php?id=CVE-2018-19312
16 Nov 2018 — Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI. Centreon versiones 3.4.x (corregido en Centreon versión 18.10.0 y Centreon web versión 2.8.24), permite una inyección SQL por medio del parámetro searchVM en el URI main.php?p=20408. • http://www.roothc.com.br/1349-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19311
https://notcve.org/view.php?id=CVE-2018-19311
16 Nov 2018 — Centreon 3.4.x (fixed in Centreon 18.10.0) allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen. Centreon versiones 3.4.x (corregido en Centreon versión 18.10.0), permite un ataque de tipo XSS por medio del campo Service en el URI main.php?p=20201, como es demostrado mediante la pantalla "Monitoring ) Status Details ) Services". • http://www.roothc.com.br/1349-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19281
https://notcve.org/view.php?id=CVE-2018-19281
14 Nov 2018 — Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.27) allows SNMP trap SQL Injection. Centreon versiones 3.4.x (corregido en Centreon versión 18.10.0 y Centreon web versión 2.8.27), permite una Inyección SQL de la captura de SNMP. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.0.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •