CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-11588
https://notcve.org/view.php?id=CVE-2018-11588
Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php. Centreon 3.4.6 incluyendo Centreon Web 2.8.23 es vulnerable a que un usuario autenticado inyecte una carga útil en la descripción del nombre de usuario o del comando, lo que resulta en Cross-Site Scripting (XSS) persistente. Esto está relacionado con www/include/core/menu/menu.php y www/include/configuration/configObject/command/formArguments.php. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.html https://github.com/centreon/centreon/pull/6259 https://github.com/centreon/centreon/pull/6260 https://github.com/centreon/centreon/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7672
https://notcve.org/view.php?id=CVE-2015-7672
Cross-site scripting (XSS) vulnerability in Centreon 2.6.1 (fixed in Centreon 18.10.0 and Centreon web 2.8.27). Una vulnerabilidad de tipo cross-site scripting (XSS) en Centreon versión 2.6.1 (corregido en Centreon versión 18.10.0 y Centreon web versión 2.8.27). • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.0.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.27.html https://github.com/centreon/centreon/pull/6637 https://github.com/centreon/centreon/pull/6953 https://www.youtube.com/watch?v=sIONzwQAngU • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2015-1560 – Centreon 2.5.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-1560
SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon web 2.7.0) allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/XmlTree/GetXmlTree.php. Una vulnerabilidad de inyección SQL en la función isUserAdmin en el archivo include/common/common-Func.php en Centreon (anteriormente Merethis Centreon) versiones 2.5.4 y anteriores (corregido en Centreon web versión 2.7.0) , permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio del parámetro sid en el archivo include/common/XmlTree/GetXmlTree.php. Merethis Centreon versions 2.5.4 and below suffer from remote SQL injection and command execution vulnerabilities. • https://www.exploit-db.com/exploits/37528 http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html http://www.securityfocus.com/archive/1/535961/100/0/threaded https://forge.centreon.com/projects/centreon/repository/revisions/d14f213b9c60de1bad0b464fd6403c828cf12582 https://github.com/centreon/centreon/commit/668a928f34dc0f67723d3db138c042eb7f979f28#diff-f69d4a3d3d177d024c22419357c1f4f4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2015-1561 – Centreon 2.5.4 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-1561
The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter. La función escape_command en el archivo include/Administration/corePerformance/getStats.php en Centreon (anteriormente Merethis Centreon) versión 2.5.4 y anteriores (corregido en Centreon versión 19.10.0), usa una expresión regular incorrecta, lo que permite a usuarios autenticados remotos ejecutar comandos arbitrarios por medio de metacaracteres de shell en el parámetro ns_id. Merethis Centreon versions 2.5.4 and below suffer from remote SQL injection and command execution vulnerabilities. • https://www.exploit-db.com/exploits/37528 http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html http://www.securityfocus.com/archive/1/535961/100/0/threaded https://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb https://github.com/centreon/centreon/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a#diff-27550b563fa8d660b64bca871a219cb1 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 57%CPEs: 2EXPL: 2CVE-2014-3829 – Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection
https://notcve.org/view.php?id=CVE-2014-3829
displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) session_id or (2) template_id parameter, related to the command_line variable. El archivo displayServiceStatus.php en Centreon versión 2.5.1 y Centreon Enterprise Server versión 2.2 (corregido en Centreon web versión 2.5.3), permite a atacantes ejecutar comandos arbitrarios por medio de metacaracteres de shell en el parámetro (1) session_id o (2) template_id, relacionado con la variable command_line. Centreon versions 2.5.2 and below and Centreon Enterprise Server versions 2.2 and below and 3.0 and below suffer from remote SQL injection and remote command injection vulnerabilities. • https://www.exploit-db.com/exploits/41676 http://seclists.org/fulldisclosure/2014/Oct/78 http://www.kb.cert.org/vuls/id/298796 https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.html https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde https://seclists.org/fulldisclosure/2014/Oct/78 • CWE-94: Improper Control of Generation of Code ('Code Injection') •