Centreon: Security Vulnerabilities
The token generator in index.php in Centreon Web before 2.8.27 is predictable.
CVSS Score
5.3
EPSS Score
0.001
Published
2019-10-08
licenseUpload.php in Centreon Web before 2.8.27 allows attackers to upload arbitrary files via a POST request.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-10-08
In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set.
CVSS Score
7.5
EPSS Score
0.001
Published
2019-10-08
In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components.
CVSS Score
6.5
EPSS Score
0.001
Published
2019-10-08
minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect.
CVSS Score
8.8
EPSS Score
0.017
Published
2019-10-08
Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.
CVSS Score
6.1
EPSS Score
0.001
Published
2019-10-08
In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to bypass authentication mechanisms in place.
CVSS Score
7.5
EPSS Score
0.001
Published
2019-10-08
img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-10-08
makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter.
CVSS Score
8.8
EPSS Score
0.003
Published
2019-10-08
getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.
CVSS Score
8.8
EPSS Score
0.017
Published
2019-10-08