CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20327
https://notcve.org/view.php?id=CVE-2019-20327
16 Jan 2020 — Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with root privileges.) Unos permisos no seguros en cwrapper_perl en Centreon Infrastructure Monitoring Software versiones hasta 19.10, permiten a atacantes locales alcanzar privilegios. (cwrapper_perl es un ejecutable setuid que permite la ejecución de scripts Perl con privilegios root). • https://gist.github.com/Diefunction/9237f46b8659a65ab08de8ec9c258139 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 3%CPEs: 4EXPL: 0CVE-2019-15298
https://notcve.org/view.php?id=CVE-2019-15298
27 Nov 2019 — A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-15300
https://notcve.org/view.php?id=CVE-2019-15300
27 Nov 2019 — A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query. Se encontró un problema en Centreon Web versiones hasta la versión 19.04.3. Una inyección SQL autenticada está presente en la página include/Administration/parameters/ldap/xml/ldap_host.php. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-16195
https://notcve.org/view.php?id=CVE-2019-16195
26 Nov 2019 — Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 allows XSS via myAccount alias and name fields. Centreon versiones anteriores a la versión 2.8.30, versiones 18.x anteriores a 18.10.8 y versiones 19.x anteriores a 19.04.5, permite un ataque de tipo XSS por medio de un alias myAccount y campos de nombre. • https://github.com/centreon/centreon/pull/7876 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16406
https://notcve.org/view.php?id=CVE-2019-16406
21 Nov 2019 — Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron. Centreon Web versión 19.04.4, presenta permisos débiles dentro de los archivos OVA (también se conoce como máquina virtual VMware) y OVF (también se conoce como máquina virtual VirtualBox), permitiendo a atacantes conseguir privilegios por medio de un archivo ... • https://documentation.centreon.com/docs/centreon-auto-discovery/en/latest/release_notes/18.10/centreon-auto-discovery-18.10.8.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.0EPSS: 1%CPEs: 4EXPL: 4CVE-2019-16405 – Centreon 19.04 - Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-16405
21 Nov 2019 — Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same. Centreon Web anterior a la versión 2.8.30, 18.10.x anterior a la versión 18.10.8, 19.04.x anterior a la versión 19.04.5 y 19.10.x anterior a la versión 19.10.2 permite la ejecución remota de código por parte de un administrador ... • https://www.exploit-db.com/exploits/47948 •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 1CVE-2019-17501
https://notcve.org/view.php?id=CVE-2019-17501
14 Oct 2019 — Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen). CVE-2019-17501 and CVE-2019-16405 are similar to one another and may be the same. Centreon versión 19.04, permite a atacantes ejecutar comandos arbitrarios del sistema operativo por medio del campo Command Line de main.php?p=60807&type=4 [también se conoce como la pantalla Configuration ) Commands ) Discovery]. • https://gist.github.com/sinfulz/ef49270e245df050af59cc3dd3eefa6b • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-17105
https://notcve.org/view.php?id=CVE-2019-17105
08 Oct 2019 — The token generator in index.php in Centreon Web before 2.8.27 is predictable. El generador de tokens en el archivo index.php en Centreon Web versiones anteriores a 2.8.27 es predecible. • http://www.openwall.com/lists/oss-security/2019/10/09/2 • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21024
https://notcve.org/view.php?id=CVE-2018-21024
08 Oct 2019 — licenseUpload.php in Centreon Web before 2.8.27 allows attackers to upload arbitrary files via a POST request. El archivo licenseUpload.php en Centreon Web versiones anteriores a 2.8.27, permite a atacantes cargar archivos arbitrarios por medio de una petición POST. • http://www.openwall.com/lists/oss-security/2019/10/09/2 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-17108
https://notcve.org/view.php?id=CVE-2019-17108
08 Oct 2019 — Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user. La inclusión de archivos locales en el archivo brokerPerformance.php en Centreon Web versiones anteriores a 2.8.28, permite a atacantes revelar información o realizar un ataque de tipo XSS almacenado sobre un usuario. • http://www.openwall.com/lists/oss-security/2019/10/09/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •