Filtered by vendor Centreon
Subscriptions
Filtered by product Centreon Web
Subscriptions
Total
29 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-53923 | 1 Centreon | 1 Centreon Web | 2025-06-06 | 9.1 Critical |
| An issue was discovered in Centreon Web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23.04.24. A user with high privileges is able to achieve SQL injection in the form to upload media. | ||||
| CVE-2024-55573 | 1 Centreon | 1 Centreon Web | 2025-06-06 | 9.1 Critical |
| An issue was discovered in Centreon centreon-web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23.04.24. A user with high privileges is able to inject SQL into the form used to create virtual metrics. | ||||
| CVE-2024-39841 | 1 Centreon | 1 Centreon Web | 2025-05-09 | 8.8 High |
| A SQL Injection vulnerability exists in the service configuration functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. | ||||
| CVE-2024-33854 | 1 Centreon | 1 Centreon Web | 2025-05-09 | 9.1 Critical |
| A SQL Injection vulnerability exists in the Graph Template component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. | ||||
| CVE-2024-33853 | 1 Centreon | 1 Centreon Web | 2025-05-09 | 9.1 Critical |
| A SQL Injection vulnerability exists in the Timeperiod component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. | ||||
| CVE-2024-33852 | 1 Centreon | 1 Centreon Web | 2025-05-09 | 9.1 Critical |
| A SQL Injection vulnerability exists in the Downtime component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. | ||||
| CVE-2024-32501 | 1 Centreon | 2 Centreon, Centreon Web | 2025-05-09 | 9.8 Critical |
| A SQL Injection vulnerability exists in the updateServiceHost functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. | ||||
| CVE-2025-3872 | 1 Centreon | 1 Centreon Web | 2025-04-29 | 7.2 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection. A user with high privileges is able to become administrator by intercepting the contact form request and altering its payload. This issue affects Centreon: from 22.10.0 before 22.10.28, from 23.04.0 before 23.04.25, from 23.10.0 before 23.10.20, from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4. | ||||
| CVE-2024-5725 | 1 Centreon | 1 Centreon Web | 2024-11-26 | 8.8 High |
| Centreon initCurveList SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the initCurveList function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the apache user. Was ZDI-CAN-22683. | ||||
| CVE-2024-5723 | 1 Centreon | 2 Centreon, Centreon Web | 2024-11-26 | 8.8 High |
| Centreon updateServiceHost SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the updateServiceHost function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the apache user. Was ZDI-CAN-23294. | ||||
| CVE-2024-47863 | 1 Centreon | 1 Centreon Web | 2024-11-25 | 6.2 Medium |
| An issue was discovered in Centreon Web 24.10.x before 24.10.0, 24.04.x before 24.04.8, 23.10.x before 23.10.18, 23.04.x before 23.04.23, and 22.10.x before 22.10.26. A stored XSS was found in the user configuration contact name field. This form is only accessible to authenticated users with high-privilege access. | ||||
| CVE-2023-51633 | 1 Centreon | 1 Centreon Web | 2024-11-25 | 9.6 Critical |
| Centreon sysName Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. User interaction is required to exploit this vulnerability. The specific flaw exists within the processing of the sysName OID in SNMP. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-20731. | ||||
| CVE-2021-26804 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 6.5 Medium |
| Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers to bypass validation by changing any file extension to ".gif", then uploading it in the "Administration/ Parameters/ Images" section of the application. | ||||
| CVE-2019-17108 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 6.1 Medium |
| Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user. | ||||
| CVE-2019-17107 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 8.8 High |
| minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect. | ||||
| CVE-2019-17106 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 6.5 Medium |
| In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components. | ||||
| CVE-2019-17105 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 5.3 Medium |
| The token generator in index.php in Centreon Web before 2.8.27 is predictable. | ||||
| CVE-2019-16406 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 7.8 High |
| Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron. | ||||
| CVE-2019-16405 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 7.2 High |
| Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same. | ||||
| CVE-2019-15300 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 8.8 High |
| A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query. | ||||