CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16194
https://notcve.org/view.php?id=CVE-2019-16194
SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php. Unas vulnerabilidades de inyección SQL en Centreon versiones hasta 19.04, permiten ataques por medio del parámetro svc_id en el archivo include/tracking/status/Services/xml/makeXMLForOneService.php. • https://github.com/centreon/centreon/pull/7862 https://github.com/centreon/centreon/releases • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 34%CPEs: 1EXPL: 5CVE-2019-13024 – Centreon 19.04 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-13024
Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands). Centreon versiones 18.x anteriores a 18.10.6, versiones 19.x anteriores a 19.04.3, y Centreon web anterior a versión 2.8.29, permite al atacante ejecutar comandos del sistema arbitrarios mediante el uso del valor "init_script"-"Monitoring Engine Binary" en el archivo main.get.php para insertar un comando arbitrario en la base de datos, y ejecutándolo para llamar la página vulnerable www/include/configuration/configGenerate/xml/generateFiles.php (que pasa el valor insertado a la base de datos a shell_exec sin sanearlo, lo que permite ejecutar comandos arbitrarios del sistema). Centreon version 19.04 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/47069 https://github.com/mhaskar/CVE-2019-13024 http://packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.6.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04/centreon-19.04.3.html https://gist.github.com/mhaskar/c4255f6cf45b19b8a852c780f50576da https://github.com/centreon/centreon/pull/7694 h • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19312
https://notcve.org/view.php?id=CVE-2018-19312
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI. Centreon versiones 3.4.x (corregido en Centreon versión 18.10.0 y Centreon web versión 2.8.24), permite una inyección SQL por medio del parámetro searchVM en el URI main.php?p=20408. • http://www.roothc.com.br/1349-2 https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.0.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.html https://github.com/centreon/centreon/pull/6257 https://github.com/centreon/centreon/pull/6628 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19311
https://notcve.org/view.php?id=CVE-2018-19311
Centreon 3.4.x (fixed in Centreon 18.10.0) allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen. Centreon versiones 3.4.x (corregido en Centreon versión 18.10.0), permite un ataque de tipo XSS por medio del campo Service en el URI main.php?p=20201, como es demostrado mediante la pantalla "Monitoring ) Status Details ) Services". • http://www.roothc.com.br/1349-2 https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.0.html https://github.com/centreon/centreon/pull/6632 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19280
https://notcve.org/view.php?id=CVE-2018-19280
Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro. Centreon versiones 3.4.x (corregido en Centreon versión 18.10.0), presenta una vulnerabilidad de tipo XSS por medio del nombre de recurso o una expresión macro de una macro de sondeo. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.0.html https://github.com/centreon/centreon/pull/6626 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •