CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21024
https://notcve.org/view.php?id=CVE-2018-21024
licenseUpload.php in Centreon Web before 2.8.27 allows attackers to upload arbitrary files via a POST request. El archivo licenseUpload.php en Centreon Web versiones anteriores a 2.8.27, permite a atacantes cargar archivos arbitrarios por medio de una petición POST. • http://www.openwall.com/lists/oss-security/2019/10/09/2 https://github.com/centreon/centreon/pull/7085 https://www.openwall.com/lists/oss-security/2019/10/08/1 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16194
https://notcve.org/view.php?id=CVE-2019-16194
SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php. Unas vulnerabilidades de inyección SQL en Centreon versiones hasta 19.04, permiten ataques por medio del parámetro svc_id en el archivo include/tracking/status/Services/xml/makeXMLForOneService.php. • https://github.com/centreon/centreon/pull/7862 https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2015-1560 – Centreon 2.5.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-1560
SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon web 2.7.0) allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/XmlTree/GetXmlTree.php. Una vulnerabilidad de inyección SQL en la función isUserAdmin en el archivo include/common/common-Func.php en Centreon (anteriormente Merethis Centreon) versiones 2.5.4 y anteriores (corregido en Centreon web versión 2.7.0) , permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio del parámetro sid en el archivo include/common/XmlTree/GetXmlTree.php. Merethis Centreon versions 2.5.4 and below suffer from remote SQL injection and command execution vulnerabilities. • https://www.exploit-db.com/exploits/37528 http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html http://www.securityfocus.com/archive/1/535961/100/0/threaded https://forge.centreon.com/projects/centreon/repository/revisions/d14f213b9c60de1bad0b464fd6403c828cf12582 https://github.com/centreon/centreon/commit/668a928f34dc0f67723d3db138c042eb7f979f28#diff-f69d4a3d3d177d024c22419357c1f4f4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2015-1561 – Centreon 2.5.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-1561
The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter. La función escape_command en el archivo include/Administration/corePerformance/getStats.php en Centreon (anteriormente Merethis Centreon) versión 2.5.4 y anteriores (corregido en Centreon versión 19.10.0), usa una expresión regular incorrecta, lo que permite a usuarios autenticados remotos ejecutar comandos arbitrarios por medio de metacaracteres de shell en el parámetro ns_id. Merethis Centreon versions 2.5.4 and below suffer from remote SQL injection and command execution vulnerabilities. • https://www.exploit-db.com/exploits/37528 http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html http://www.securityfocus.com/archive/1/535961/100/0/threaded https://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb https://github.com/centreon/centreon/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a#diff-27550b563fa8d660b64bca871a219cb1 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.0EPSS: 0%CPEs: 45EXPL: 1CVE-2011-4432
https://notcve.org/view.php?id=CVE-2011-4432
www/include/configuration/nconfigObject/contact/DB-Func.php in Merethis Centreon before 2.3.2 does not use a salt during calculation of a password hash, which makes it easier for context-dependent attackers to determine cleartext passwords via a rainbow-table approach. www/include/configuration/nconfigObject/contact/DB-Func.php en Merethis Centreon antes de v2.3.2 no emplea "salt" durante el calculo del hash de una contraseña, lo que hace más sencillo para atacantes dependientes del contexto determinar las contraseñas en texto planto a través de una aproximación de tablas "rainbow". • http://securityreason.com/securityalert/8530 https://www.trustwave.com/spiderlabs/advisories/TWSL2011-017.txt • CWE-310: Cryptographic Issues •