CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15299
https://notcve.org/view.php?id=CVE-2019-15299
An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autologin_key field in the database becomes blank when it should be NULL. This makes it possible to partially bypass authentication. Se detectó un problema en Centreon Web versiones hasta 19.04.3. Cuando un usuario cambia su contraseña sobre su página de perfil, el campo contact_autologin_key en la base de datos pasa a blanco cuando debería ser NULL. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.html https://github.com/centreon/centreon/pull/8072 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 4%CPEs: 4EXPL: 0CVE-2019-15298
https://notcve.org/view.php?id=CVE-2019-15298
A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html https://github.com/centreon/centreon/pull/8023 https://www.certilience.fr/2019/08/CVE-2019-15298-vulnerabilit%C3%A9-centreon-command-injection • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-15300
https://notcve.org/view.php?id=CVE-2019-15300
A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query. Se encontró un problema en Centreon Web versiones hasta la versión 19.04.3. Una inyección SQL autenticada está presente en la página include/Administration/parameters/ldap/xml/ldap_host.php. • https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8.html https://github.com/centreon/centreon/pull/8008 https://github.com/centreon/centreon/pull/8009 https://www.certilience.fr/2019/08/CVE-2019-15300-vulnerabilit%C3%A9-centreon-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16406
https://notcve.org/view.php?id=CVE-2019-16406
Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron. Centreon Web versión 19.04.4, presenta permisos débiles dentro de los archivos OVA (también se conoce como máquina virtual VMware) y OVF (también se conoce como máquina virtual VirtualBox), permitiendo a atacantes conseguir privilegios por medio de un archivo ejecutable Centreon-autodisco de tipo caballo de Troya que es iniciado por cron. • https://documentation.centreon.com/docs/centreon-auto-discovery/en/latest/release_notes/18.10/centreon-auto-discovery-18.10.8.html https://documentation.centreon.com/docs/centreon-auto-discovery/en/latest/release_notes/19.04/centreon-auto-discovery-19.04.2.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.html#centreon-web-18-10-10 https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html#centreon-web-19-04-8 https://d • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.0EPSS: 1%CPEs: 4EXPL: 4CVE-2019-16405 – Centreon 19.04 - Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2019-16405
Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same. Centreon Web anterior a la versión 2.8.30, 18.10.x anterior a la versión 18.10.8, 19.04.x anterior a la versión 19.04.5 y 19.10.x anterior a la versión 19.10.2 permite la ejecución remota de código por parte de un administrador que puede modificar la configuración de ubicación de Macro Expression. CVE-2019-16405 y CVE-2019-17501 son similares entre sí y pueden ser iguales. • https://www.exploit-db.com/exploits/47948 https://github.com/TheCyberGeek/CVE-2019-16405.rb http://packetstormsecurity.com/files/155999/Centreon-19.04-Remote-Code-Execution.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.10.html https://documentation.centreon.com/docs/centreon&# •