Centreon: >> Centreon Web >> 18.10.0 Security Vulnerabilities
A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. This allows one to inject Linux commands directly.
CVSS Score
8.8
EPSS Score
0.089
Published
2019-11-27
Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same.
CVSS Score
7.2
EPSS Score
0.09
Published
2019-11-21
The token generator in index.php in Centreon Web before 2.8.27 is predictable.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-10-08
minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect.
CVSS Score
8.8
EPSS Score
0.017
Published
2019-10-08
Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.
CVSS Score
6.1
EPSS Score
0.001
Published
2019-10-08
getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.
CVSS Score
8.8
EPSS Score
0.017
Published
2019-10-08
Page 2