Vulnerabilities > Centreon > High

DATE CVE VULNERABILITY TITLE RISK
2019-11-21 CVE-2019-16405 Unspecified vulnerability in Centreon web
Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings.
network
low complexity
centreon
7.2
2019-10-14 CVE-2019-17501 OS Command Injection vulnerability in Centreon 19.04.0
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
network
low complexity
centreon CWE-78
8.8
2019-10-08 CVE-2019-17107 OS Command Injection vulnerability in Centreon web
minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter.
network
low complexity
centreon CWE-78
8.8
2019-10-08 CVE-2019-17104 Reliance on Cookies without Validation and Integrity Checking vulnerability in Centreon VM 19.04.2/19.04.3
In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set.
network
low complexity
centreon CWE-565
7.5
2019-10-08 CVE-2018-21023 Code Injection vulnerability in Centreon web
getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.
network
low complexity
centreon CWE-94
8.8
2019-10-08 CVE-2018-21022 SQL Injection vulnerability in Centreon web
makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter.
network
low complexity
centreon CWE-89
8.8
2019-10-08 CVE-2018-21021 SQL Injection vulnerability in Centreon web
img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter.
network
low complexity
centreon CWE-89
8.8
2019-10-08 CVE-2018-21020 Improper Input Validation vulnerability in Centreon web
In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to bypass authentication mechanisms in place.
network
low complexity
centreon CWE-20
7.5
2019-07-01 CVE-2019-13024 Command Injection vulnerability in Centreon 19.04.0
Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).
network
low complexity
centreon CWE-77
8.8
2018-11-16 CVE-2018-19312 SQL Injection vulnerability in Centreon 3.4.0/3.4.1/3.4.6
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
network
low complexity
centreon CWE-89
8.8