Centreon

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection. A user with high privileges is able to become administrator by intercepting the contact form request and altering its payload. This issue affects Centreon: from 22.10.0 before 22.10.28, from 23.04.0 before 23.04.25, from 23.10.0 before 23.10.20, from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.

Published: 2025-04-24T09:19:33.900Z
Updated: 2025-04-24T15:22:37.345Z

Centreon initCurveList SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the initCurveList function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the apache user. Was ZDI-CAN-22683.

Published: 2024-08-21T16:14:52.027Z
Updated: 2024-08-22T15:48:16.728Z

Centreon updateServiceHost SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateServiceHost function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the apache user. Was ZDI-CAN-23294.

Published: 2024-08-21T16:14:43.583Z
Updated: 2024-08-21T17:27:57.933Z

A SQL injection vulnerability in Centreon 24.04.2 allows a remote high-privileged attacker to execute arbitrary SQL command via user massive changes inputs.

Published: 2024-09-23T00:00:00.000Z
Updated: 2024-09-23T18:58:21.141Z

A SQL Injection vulnerability exists in the updateServiceHost functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.

Published: 2024-08-23T00:00:00.000Z
Updated: 2024-08-27T14:57:21.452Z

Centreon insertGraphTemplate SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the insertGraphTemplate function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22339.

Published: 2024-04-01T21:48:27.225Z
Updated: 2024-08-01T22:51:11.351Z

Centreon updateContactHostCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateContactHostCommands function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22298.

Published: 2024-04-01T21:48:11.076Z
Updated: 2024-08-21T22:36:44.600Z

Centreon updateContactHostCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateContactHostCommands function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22298.

Published: 2024-04-01T21:48:11.076Z
Updated: 2024-08-21T22:36:44.600Z

Centreon updateContactServiceCommands SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateContactServiceCommands function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22297.

Published: 2024-04-01T21:47:42.390Z
Updated: 2024-08-29T19:21:50.061Z

Centreon updateLCARelation SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateLCARelation function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22296.

Published: 2024-04-01T21:47:27.377Z
Updated: 2024-08-12T19:08:12.424Z

Centreon updateGroups SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateGroups function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22295.

Published: 2024-04-01T21:47:10.063Z
Updated: 2025-03-12T16:44:02.354Z

Centreon updateDirectory SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateDirectory function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-22294.

Published: 2024-04-01T21:45:52.634Z
Updated: 2024-08-01T18:11:35.640Z

Centreon sysName Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. User interaction is required to exploit this vulnerability. The specific flaw exists within the processing of the sysName OID in SNMP. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-20731.

Published: 2024-05-03T02:15:50.555Z
Updated: 2024-08-02T22:40:34.140Z

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18557.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-14T16:33:47.283Z

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18410.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-14T16:33:23.700Z

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the contact groups configuration page. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18541.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-14T16:33:03.975Z

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18554.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-14T16:32:42.080Z

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18555.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-14T16:32:24.022Z

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to modify poller broker configuration. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18556.

Published: 2023-03-29T00:00:00.000Z
Updated: 2025-02-14T16:30:57.103Z

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of requests to configure poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-18304.

Published: 2023-01-26T00:00:00.000Z
Updated: 2025-04-01T14:53:46.735Z

A vulnerability was found in centreon. It has been declared as critical. This vulnerability affects unknown code of the file formContactGroup.php of the component Contact Groups Form. The manipulation of the argument cg_id leads to sql injection. The attack can be initiated remotely. The name of the patch is 293b10628f7d9f83c6c82c78cf637cbe9b907369. It is recommended to apply a patch to fix this issue. VDB-212794 is the identifier assigned to this vulnerability.

Published: 2022-11-02T00:00:00.000Z
Updated: 2025-04-15T13:17:42.540Z

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of Virtual Metrics. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16336.

Published: 2022-08-03T15:21:26.000Z
Updated: 2024-08-03T09:22:10.611Z

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-16335.

Published: 2022-08-03T15:21:13.000Z
Updated: 2026-06-02T14:33:53.838Z

A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php.

Published: 2021-08-03T15:37:07.000Z
Updated: 2024-08-04T01:23:01.423Z

A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter.

Published: 2021-08-03T15:34:11.000Z
Updated: 2024-08-04T01:23:01.367Z

A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters.

Published: 2021-08-03T15:31:42.000Z
Updated: 2024-08-04T01:23:01.156Z

Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.

Published: 2020-05-21T03:35:00.000Z
Updated: 2024-08-04T12:11:19.468Z

Centreon before 19.10.7 exposes Session IDs in server responses.

Published: 2020-05-27T15:12:31.000Z
Updated: 2024-08-04T11:21:13.979Z

Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with root privileges.)

Published: 2020-01-16T14:27:55.000Z
Updated: 2024-08-05T02:39:09.807Z

There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration.

Published: 2020-04-06T15:30:11.000Z
Updated: 2024-08-05T02:25:12.203Z

Command Injection in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to achieve command injection via a plugin test.

Published: 2020-03-20T02:36:41.000Z
Updated: 2024-08-05T02:16:47.406Z

Local File Inclusion in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to traverse paths via a plugin test.

Published: 2020-03-20T02:36:55.000Z
Updated: 2024-08-05T02:16:47.403Z

Open redirect via parameter ‘p’ in login.php in Centreon (19.04.4 and below) allows an attacker to craft a payload and execute unintended behavior.

Published: 2020-03-20T02:37:18.000Z
Updated: 2024-08-05T02:16:47.404Z

An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, and 19.10.2. SQL Injection exists via the include/monitoring/status/Hosts/xml/hostXML.php instance parameter.

Published: 2020-03-05T19:33:56.000Z
Updated: 2024-08-05T01:47:13.544Z

An issue was discovered in Centreon before 18.10.8, 19.04.5, and 19.10.2. It provides sensitive information via an unauthenticated direct request for api/external.php?object=centreon_metric&action=listByService.

Published: 2020-03-05T19:49:32.000Z
Updated: 2024-08-05T01:47:13.562Z

An issue was discovered in Centreon before 2.8.31, 18.10.9, 19.04.6, and 19.10.3. It provides sensitive information via an unauthenticated direct request for include/configuration/configObject/service/refreshMacroAjax.php.

Published: 2020-03-05T16:34:55.000Z
Updated: 2024-08-05T01:47:13.523Z

An issue was discovered in Centreon before 2.8-30, 18.10-8, 19.04-5, and 19.10-2.. It provides sensitive information via an unauthenticated direct request for include/configuration/configObject/host/refreshMacroAjax.php.

Published: 2020-03-04T21:54:24.000Z
Updated: 2024-08-05T01:47:13.570Z

An issue was discovered in Centreon before 2.8-30,18.10-8, 19.04-5, and 19.10-2. It provides sensitive information via an unauthenticated direct request for include/monitoring/recurrentDowntime/GetXMLHost4Services.php.

Published: 2020-03-04T21:32:43.000Z
Updated: 2024-08-05T01:47:13.553Z

An issue was discovered in Centreon before 18.10.8, 19.10.1, and 19.04.2. It allows CSRF with resultant remote command execution via shell metacharacters in a POST to centreon-autodiscovery-server/views/scan/ajax/call.php in the Autodiscovery plugin.

Published: 2020-03-05T16:55:32.000Z
Updated: 2024-08-05T01:47:13.575Z

Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 allows XSS via myAccount alias and name fields.

Published: 2019-11-26T17:03:34.000Z
Updated: 2024-08-05T01:10:41.282Z

SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php.

Published: 2019-09-25T15:21:40.000Z
Updated: 2024-08-05T01:10:41.592Z

licenseUpload.php in Centreon Web before 2.8.27 allows attackers to upload arbitrary files via a POST request.

Published: 2019-10-08T14:32:56.000Z
Updated: 2024-08-05T12:19:27.217Z

Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.

Published: 2018-11-16T19:00:00.000Z
Updated: 2024-08-05T11:30:04.184Z

Centreon 3.4.x (fixed in Centreon 18.10.0) allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.

Published: 2018-11-16T19:00:00.000Z
Updated: 2024-08-05T11:30:04.082Z

Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro.

Published: 2018-11-14T20:00:00.000Z
Updated: 2024-08-05T11:30:04.094Z

The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter.

Published: 2015-07-14T16:00:00.000Z
Updated: 2024-08-06T04:47:17.155Z

SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon web 2.7.0) allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/XmlTree/GetXmlTree.php.

Published: 2015-07-14T16:00:00.000Z
Updated: 2024-08-06T04:47:17.040Z

SQL injection vulnerability in menuXML.php in Centreon 2.3.3 through 2.3.9-4 (fixed in Centreon web 2.6.0) allows remote authenticated users to execute arbitrary SQL commands via the menu parameter.

Published: 2012-12-19T11:00:00.000Z
Updated: 2024-08-06T21:21:28.270Z

Multiple cross-site scripting (XSS) vulnerabilities in include/common/javascript/color_picker.php in Centreon 1.4.2.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) title parameters. NOTE: some of these details are obtained from third party information.

Published: 2008-03-06T00:00:00.000Z
Updated: 2024-08-07T08:08:57.828Z

Directory traversal vulnerability in include/doc/index.php in Centreon 1.4.2.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter, a different vector than CVE-2008-1119.

Published: 2008-03-06T00:00:00.000Z
Updated: 2024-08-07T08:08:57.708Z

Directory traversal vulnerability in include/doc/get_image.php in Centreon 1.4.2.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter.

Published: 2008-03-03T22:00:00.000Z
Updated: 2024-08-07T08:08:57.699Z