CentreonCVEs & Vulnerabilities

111 CVEs affecting Centreon products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

centreon 75centreon web 54centreon service-monitoring widget 3centreon tactical-overview widget 3centreon host-monitoring widget 3centreon vm 2widget-host-monitoring 2
CVE-2022-34871HIGH

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-16335.

3 Aug 2022
7.2
CVSS
CVE-2020-22345HIGH

/graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabase_path parameter.

19 Aug 2021
8.8
CVSS
CVE-2021-37558CRITICAL

A SQL injection vulnerability in a MediaWiki script in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote unauthenticated attackers to execute arbitrary SQL commands via the host_name and service_description parameters. The vulnerability can be exploited only when a valid Knowledge Base URL is configured on the Knowledge Base configuration page and points to a MediaWiki instance. This relates to the proxy feature in class/centreon-knowledge/ProceduresProxy.class.php and include/configuration/configKnowledge/proxy/proxy.php.

3 Aug 2021
9.8
CVSS
CVE-2021-37557HIGH

A SQL injection vulnerability in image generation in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/views/graphs/generateGraphs/generateImage.php index parameter.

3 Aug 2021
8.8
CVSS
CVE-2021-37556HIGH

A SQL injection vulnerability in reporting export in Centreon before 20.04.14, 20.10.8, and 21.04.2 allows remote authenticated (but low-privileged) attackers to execute arbitrary SQL commands via the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php start and end parameters.

3 Aug 2021
8.8
CVSS
CVE-2021-28053HIGH

An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. A SQL injection vulnerability in "Configuration > Users > Contacts / Users" allows remote authenticated users to execute arbitrary SQL commands via the Additional Information parameters.

16 Jul 2021
8.8
CVSS
CVE-2021-28054MEDIUM

An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. A Stored Cross-Site Scripting (XSS) issue in "Configuration > Hosts" allows remote authenticated users to inject arbitrary web script or HTML via the Alias parameter.

16 Jul 2021
5.4
CVSS
CVE-2021-27676MEDIUM

Centreon version 20.10.2 is affected by a cross-site scripting (XSS) vulnerability. The dep_description (Dependency Description) and dep_name (Dependency Name) parameters are vulnerable to stored XSS. A user has to log in and go to the Configuration > Notifications > Hosts page.

26 May 2021
5.4
CVSS
CVE-2021-26804MEDIUM

Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers to bypass validation by changing any file extension to ".gif", then uploading it in the "Administration/ Parameters/ Images" section of the application.

4 May 2021
6.5
CVSS
CVE-2021-28055MEDIUM

An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user.

15 Apr 2021
6.5
CVSS
CVE-2020-22425HIGH

Centreon 19.10-3.el7 is affected by a SQL injection vulnerability, where an authorized user is able to inject additional SQL queries to perform remote command execution.

15 Feb 2021
8.8
CVSS
CVE-2020-13628MEDIUM

Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the widgetId parameter to host-monitoring/src/toolbar.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.04.3, 19.10.2 of the Centreon service-monitoring widget; and 1.0.3, 18.10.1, 19.04.1, 19.10.1 of the Centreon tactical-overview widget.

27 May 2020
6.1
CVSS
CVE-2020-13627MEDIUM

Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the widgetId parameter to service-monitoring/src/index.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.04.3, 19.10.2 of the Centreon service-monitoring widget; and 1.0.3, 18.10.1, 19.04.1, 19.10.1 of the Centreon tactical-overview widget.

27 May 2020
6.1
CVSS
CVE-2020-10946MEDIUM

Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the page parameter to service-monitoring/src/index.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.04.3, 19.10.2 of the Centreon service-monitoring widget; and 1.0.3, 18.10.1, 19.04.1, 19.10.1 of the Centreon tactical-overview widget.

27 May 2020
6.1
CVSS
CVE-2020-10945MEDIUM

Centreon before 19.10.7 exposes Session IDs in server responses.

27 May 2020
4.3
CVSS
CVE-2020-13252HIGH

Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path (via a main.get.php request) and then visiting the include/views/graphs/graphStatus/displayServiceStatus.php page.

21 May 2020
8.8
CVSS
CVE-2019-19699HIGH

There is Authenticated remote code execution in Centreon Infrastructure Monitoring Software through 19.10 via Pollers misconfiguration, leading to system compromise via apache crontab misconfiguration, This allows the apache user to modify an executable file executed by root at 22:30 every day. To exploit the vulnerability, someone must have Admin access to the Centreon Web Interface and create a custom main.php?p=60803&type=3 command. The user must then set the Pollers Post-Restart Command to this previously created command via the main.php?p=60901&o=c&server_id=1 URI. This is triggered via an export of the Poller Configuration.

6 Apr 2020
7.2
CVSS
CVE-2019-19487HIGH

Command Injection in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to achieve command injection via a plugin test.

20 Mar 2020
8.8
CVSS
CVE-2019-19486MEDIUM

Local File Inclusion in minPlayCommand.php in Centreon (19.04.4 and below) allows an attacker to traverse paths via a plugin test.

20 Mar 2020
6.5
CVSS
CVE-2019-19484MEDIUM

Open redirect via parameter ‘p’ in login.php in Centreon (19.04.4 and below) allows an attacker to craft a payload and execute unintended behavior.

20 Mar 2020
6.1
CVSS
CVE-2019-17647CRITICAL

An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, and 19.10.2. SQL Injection exists via the include/monitoring/status/Hosts/xml/hostXML.php instance parameter.

5 Mar 2020
9.8
CVSS
CVE-2019-17646HIGH

An issue was discovered in Centreon before 18.10.8, 19.04.5, and 19.10.2. It provides sensitive information via an unauthenticated direct request for api/external.php?object=centreon_metric&action=listByService.

5 Mar 2020
7.5
CVSS
CVE-2019-17645HIGH

An issue was discovered in Centreon before 2.8.31, 18.10.9, 19.04.6, and 19.10.3. It provides sensitive information via an unauthenticated direct request for include/configuration/configObject/service/refreshMacroAjax.php.

5 Mar 2020
7.5
CVSS
CVE-2019-17642HIGH

An issue was discovered in Centreon before 18.10.8, 19.10.1, and 19.04.2. It allows CSRF with resultant remote command execution via shell metacharacters in a POST to centreon-autodiscovery-server/views/scan/ajax/call.php in the Autodiscovery plugin.

5 Mar 2020
8.8
CVSS
CVE-2019-17644HIGH

An issue was discovered in Centreon before 2.8-30, 18.10-8, 19.04-5, and 19.10-2.. It provides sensitive information via an unauthenticated direct request for include/configuration/configObject/host/refreshMacroAjax.php.

5 Mar 2020
7.5
CVSS
CVE-2019-17643HIGH

An issue was discovered in Centreon before 2.8-30,18.10-8, 19.04-5, and 19.10-2. It provides sensitive information via an unauthenticated direct request for include/monitoring/recurrentDowntime/GetXMLHost4Services.php.

5 Mar 2020
7.5
CVSS
CVE-2020-9463HIGH

Centreon 19.10 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the server_ip field in JSON data in an api/internal.php?object=centreon_configuration_remote request.

28 Feb 2020
8.8
CVSS
CVE-2019-15299HIGH

An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autologin_key field in the database becomes blank when it should be NULL. This makes it possible to partially bypass authentication.

24 Feb 2020
8.8
CVSS
CVE-2019-20327HIGH

Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution of Perl scripts with root privileges.)

16 Jan 2020
7.8
CVSS
CVE-2019-15300HIGH

A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query.

27 Nov 2019
8.8
CVSS
CVE-2019-15298HIGH

A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. This allows one to inject Linux commands directly.

27 Nov 2019
8.8
CVSS
CVE-2019-16195MEDIUM

Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 allows XSS via myAccount alias and name fields.

26 Nov 2019
6.1
CVSS
CVE-2019-16406HIGH

Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.

21 Nov 2019
7.8
CVSS
CVE-2019-16405HIGHpoc

Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same.

21 Nov 2019
7.2
CVSS
CVE-2019-17501HIGH

Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen). CVE-2019-17501 and CVE-2019-16405 are similar to one another and may be the same.

14 Oct 2019
8.8
CVSS
CVE-2019-17105MEDIUM

The token generator in index.php in Centreon Web before 2.8.27 is predictable.

8 Oct 2019
5.3
CVSS
CVE-2018-21024CRITICAL

licenseUpload.php in Centreon Web before 2.8.27 allows attackers to upload arbitrary files via a POST request.

8 Oct 2019
9.8
CVSS
CVE-2019-17108MEDIUM

Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.

8 Oct 2019
6.1
CVSS
CVE-2019-17107HIGH

minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect.

8 Oct 2019
8.8
CVSS
CVE-2019-17106MEDIUM

In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components.

8 Oct 2019
6.5
CVSS
CVE-2019-17104HIGH

In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set.

8 Oct 2019
7.5
CVSS
CVE-2018-21025CRITICAL

In Centreon VM through 19.04.3, centreon-backup.pl allows attackers to become root via a crafted script, due to incorrect rights of sourced configuration files.

8 Oct 2019
9.8
CVSS
CVE-2018-21023HIGH

getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.

8 Oct 2019
8.8
CVSS
CVE-2018-21022HIGH

makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter.

8 Oct 2019
8.8
CVSS
CVE-2018-21021HIGH

img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter.

8 Oct 2019
8.8
CVSS
CVE-2018-21020HIGH

In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to bypass authentication mechanisms in place.

8 Oct 2019
7.5
CVSS
CVE-2019-16194CRITICAL

SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php.

25 Sep 2019
9.8
CVSS
CVE-2019-13024HIGHpoc

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

1 Jul 2019
8.8
CVSS
Centreon CVEs & Vulnerabilities — 111 Tracked — Page 2