CentreonCVEs & Vulnerabilities

121 CVEs affecting Centreon products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

centreon 75centreon web 59centreon host-monitoring widget 3centreon service-monitoring widget 3centreon tactical-overview widget 3widget-host-monitoring 2centreon vm 2dynamic service management 2
CVE-2019-17107HIGH

minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect.

8 Oct 2019
8.8
CVSS
CVE-2019-17106MEDIUM

In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components.

8 Oct 2019
6.5
CVSS
CVE-2019-17104HIGH

In Centreon VM through 19.04.3, the cookie configuration within the Apache HTTP Server does not protect against theft because the HTTPOnly flag is not set.

8 Oct 2019
7.5
CVSS
CVE-2018-21025CRITICAL

In Centreon VM through 19.04.3, centreon-backup.pl allows attackers to become root via a crafted script, due to incorrect rights of sourced configuration files.

8 Oct 2019
9.8
CVSS
CVE-2018-21023HIGH

getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.

8 Oct 2019
8.8
CVSS
CVE-2018-21022HIGH

makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter.

8 Oct 2019
8.8
CVSS
CVE-2018-21021HIGH

img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter.

8 Oct 2019
8.8
CVSS
CVE-2018-21020HIGH

In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to bypass authentication mechanisms in place.

8 Oct 2019
7.5
CVSS
CVE-2019-16194CRITICAL

SQL injection vulnerabilities in Centreon through 19.04 allow attacks via the svc_id parameter in include/monitoring/status/Services/xml/makeXMLForOneService.php.

25 Sep 2019
9.8
CVSS
CVE-2019-13024HIGHpoc

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

1 Jul 2019
8.8
CVSS
CVE-2018-19312HIGH

Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.24) allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.

16 Nov 2018
8.8
CVSS
CVE-2018-19311MEDIUM

Centreon 3.4.x (fixed in Centreon 18.10.0) allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.

16 Nov 2018
5.4
CVSS
CVE-2018-19281CRITICAL

Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.27) allows SNMP trap SQL Injection.

14 Nov 2018
9.8
CVSS
CVE-2018-19280MEDIUM

Centreon 3.4.x (fixed in Centreon 18.10.0) has XSS via the resource name or macro expression of a poller macro.

14 Nov 2018
6.1
CVSS
CVE-2018-19271HIGH

Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.28) allows SQL Injection via the main.php searchH parameter.

14 Nov 2018
8.8
CVSS
CVE-2018-11589CRITICAL

Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php.

25 Jun 2018
9.8
CVSS
CVE-2018-11588MEDIUM

Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php.

25 Jun 2018
5.4
CVSS
CVE-2018-11587CRITICAL

There is Remote Code Execution in Centreon 3.4.6 including Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in centreonGraph.class.php.

25 Jun 2018
9.8
CVSS
CVE-2015-7672MEDIUM

Cross-site scripting (XSS) vulnerability in Centreon 2.6.1 (fixed in Centreon 18.10.0 and Centreon web 2.8.27).

7 Sep 2017
5.4
CVSS
CVE-2015-1561MEDIUMpoc

The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter.

14 Jul 2015
6.5
CVSS
CVE-2015-1560HIGHpoc

SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon web 2.7.0) allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/XmlTree/GetXmlTree.php.

14 Jul 2015
7.5
CVSS
CVE-2008-1179MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in include/common/javascript/color_picker.php in Centreon 1.4.2.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) title parameters. NOTE: some of these details are obtained from third party information.

6 Mar 2008
4.3
CVSS
CVE-2008-1178MEDIUMpoc

Directory traversal vulnerability in include/doc/index.php in Centreon 1.4.2.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter, a different vector than CVE-2008-1119.

6 Mar 2008
4.3
CVSS
CVE-2008-1119MEDIUMpoc

Directory traversal vulnerability in include/doc/get_image.php in Centreon 1.4.2.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter.

4 Mar 2008
5.0
CVSS
CVE-2007-6485HIGHpoc

Multiple PHP remote file inclusion vulnerabilities in Centreon 1.4.1 (aka Oreon 1.4) allow remote attackers to execute arbitrary PHP code via a URL in the fileOreonConf parameter to (1) MakeXML.php or (2) MakeXML4statusCounter.php in include/monitoring/engine/.

20 Dec 2007
7.5
CVSS
← PrevPage 3 / 3Next →