CVE-2015-1561
Centreon 2.5.4 - Multiple Vulnerabilities
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter.
La función escape_command en el archivo include/Administration/corePerformance/getStats.php en Centreon (anteriormente Merethis Centreon) versión 2.5.4 y anteriores (corregido en Centreon versión 19.10.0), usa una expresión regular incorrecta, lo que permite a usuarios autenticados remotos ejecutar comandos arbitrarios por medio de metacaracteres de shell en el parámetro ns_id.
Merethis Centreon versions 2.5.4 and below suffer from remote SQL injection and command execution vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-02-08 CVE Reserved
- 2015-07-08 CVE Published
- 2015-07-08 First Exploit
- 2024-08-06 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (5)
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/37528 | 2015-07-08 | |
| http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html | 2024-08-06 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|