Centreon Web Centreon Web

Do you want an email whenever new security vulnerabilities are reported in Centreon Web?

By the Year

In 2024 there have been 0 vulnerabilities in Centreon Web . Centreon Web did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 0 0.00
2022 0 0.00
2021 1 6.50
2020 1 8.80
2019 12 7.77
2018 3 8.33

It may take a day or so for new Centreon Web vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Centreon Web Security Vulnerabilities

Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2

CVE-2021-26804 6.5 - Medium - May 04, 2021

Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers to bypass validation by changing any file extension to ".gif", then uploading it in the "Administration/ Parameters/ Images" section of the application.

Incorrect Default Permissions

An issue was discovered in Centreon Web through 19.04.3

CVE-2019-15299 8.8 - High - February 24, 2020

An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autologin_key field in the database becomes blank when it should be NULL. This makes it possible to partially bypass authentication.

authentification

A problem was found in Centreon Web through 19.04.3

CVE-2019-15298 8.8 - High - November 27, 2019

A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. This allows one to inject Linux commands directly.

Shell injection

A problem was found in Centreon Web through 19.04.3

CVE-2019-15300 8.8 - High - November 27, 2019

A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query.

SQL Injection

Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2

CVE-2019-16405 7.2 - High - November 21, 2019

Centreon Web before 2.8.30, 18.10.x before 18.10.8, 19.04.x before 19.04.5 and 19.10.x before 19.10.2 allows Remote Code Execution by an administrator who can modify Macro Expression location settings. CVE-2019-16405 and CVE-2019-17501 are similar to one another and may be the same.

Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file

CVE-2019-16406 7.8 - High - November 21, 2019

Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.

Incorrect Permission Assignment for Critical Resource

The token generator in index.php in Centreon Web before 2.8.27 is predictable.

CVE-2019-17105 5.3 - Medium - October 08, 2019

The token generator in index.php in Centreon Web before 2.8.27 is predictable.

Use of Insufficiently Random Values

In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27

CVE-2018-21020 7.5 - High - October 08, 2019

In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to bypass authentication mechanisms in place.

Improper Input Validation

img_gantt.php in Centreon Web before 2.8.27

CVE-2018-21021 8.8 - High - October 08, 2019

img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter.

SQL Injection

makeXML_ListServices.php in Centreon Web before 2.8.28

CVE-2018-21022 8.8 - High - October 08, 2019

makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter.

SQL Injection

getStats.php in Centreon Web before 2.8.28

CVE-2018-21023 8.8 - High - October 08, 2019

getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.

Code Injection

In Centreon Web through 2.8.29, disclosure of external components' passwords

CVE-2019-17106 6.5 - Medium - October 08, 2019

In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components.

Cleartext Storage of Sensitive Information

minPlayCommand.php in Centreon Web before 2.8.27

CVE-2019-17107 8.8 - High - October 08, 2019

minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect.

Code Injection

Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28

CVE-2019-17108 6.1 - Medium - October 08, 2019

Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.

XSS

Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23

CVE-2018-11589 9.8 - Critical - June 25, 2018

Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php.

SQL Injection

There is Remote Code Execution in Centreon 3.4.6 including Centreon Web 2.8.23

CVE-2018-11587 9.8 - Critical - June 25, 2018

There is Remote Code Execution in Centreon 3.4.6 including Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in centreonGraph.class.php.

Code Injection

Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description

CVE-2018-11588 5.4 - Medium - June 25, 2018

Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Centreon Web or by Centreon? Click the Watch button to subscribe.

Centreon
Vendor

Centreon Web
Product

subscribe