RSS   Podatności dla 'Centreon web'   RSS

2021-05-04
 
CVE-2021-26804

CWE-276
 

 
Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers to bypass validation by changing any file extension to ".gif", then uploading it in the "Administration/ Parameters/ Images" section of the application.

 
2020-02-24
 
CVE-2019-15299

CWE-287
 

 
An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autologin_key field in the database becomes blank when it should be NULL. This makes it possible to partially bypass authentication.

 
2019-11-27
 
CVE-2019-15300

CWE-89
 

 
A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query.

 
 
CVE-2019-15298

CWE-74
 

 
A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. This allows one to inject Linux commands directly.

 
2019-11-21
 
CVE-2019-16406

CWE-732
 

 
Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.

 
 
CVE-2019-16405

CWE-20
 

 
Centreon Web 19.04.4 allows Remote Code Execution by an administrator who can modify Macro Expression location settings.

 
2019-10-08
 
CVE-2019-17105

CWE-330
 

 
The token generator in index.php in Centreon Web before 2.8.27 is predictable.

 
 
CVE-2019-17108

CWE-79
 

 
Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.

 
 
CVE-2019-17107

CWE-94
 

 
minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect.

 
 
CVE-2019-17106

CWE-312
 

 
In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components.

 


Copyright 2024, cxsecurity.com

 

Back to Top