CVSS: 10.0EPSS: 75%CPEs: 2EXPL: 4CVE-2014-3828 – Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection
https://notcve.org/view.php?id=CVE-2014-3828
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/. Múltiples vulnerabilidades de inyección SQL en Centreon versión 2.5.1 y Centreon Enterprise Server versión 2.2 (corregido en Centreon web versión 2.5.3), permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio de (1) el parámetro index_id en el archivo views/graphs/common/makeXML_ListMetrics.php,(2) el parámetro sid en el archivo views/graphs/GetXmlTree.php, (3) el parámetro session_id en el archivo views/graphs/graphStatus/displayServiceStatus.php, (4) el parámetro mnftr_id en el archivo configuration/configObject/traps/GetXMLTrapsForVendor.php, o (5) el parámetro index en el archivo common/javascript/commandGetArgs/cmdGetExample.php en include/. Centreon versions 2.5.2 and below and Centreon Enterprise Server versions 2.2 and below and 3.0 and below suffer from remote SQL injection and remote command injection vulnerabilities. • https://www.exploit-db.com/exploits/41676 https://www.exploit-db.com/exploits/35078 http://seclists.org/fulldisclosure/2014/Oct/78 http://www.kb.cert.org/vuls/id/298796 http://www.securityfocus.com/bid/70648 https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.html https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde https://seclists.org/fulldisclosure/2014/Oct/78 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •