Search criteria
9 vulnerabilities found for centurion_erp by nofusscomputing
FKIE_CVE-2025-58156
Vulnerability from fkie_nvd - Published: 2025-08-29 22:15 - Updated: 2025-09-24 18:20
Severity ?
1.9 (Low) - CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nofusscomputing | centurion_erp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nofusscomputing:centurion_erp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "19D7D2C6-7868-40B8-9FC4-E53824C3B942",
"versionEndExcluding": "1.21.0",
"versionStartIncluding": "1.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database."
}
],
"id": "CVE-2025-58156",
"lastModified": "2025-09-24T18:20:44.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-08-29T22:15:32.513",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/974"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-53855
Vulnerability from fkie_nvd - Published: 2024-11-27 19:15 - Updated: 2025-09-23 13:05
Severity ?
1.9 (Low) - CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nofusscomputing | centurion_erp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nofusscomputing:centurion_erp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65D579A4-4F25-4681-916B-E77B96BD9C3D",
"versionEndExcluding": "1.3.1",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a \"ticket type\" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended."
},
{
"lang": "es",
"value": "Centurion ERP (Enterprise Rescource Planning) es una aplicaci\u00f3n sencilla desarrollada para proporcionar gesti\u00f3n de TI de c\u00f3digo abierto con un gran \u00e9nfasis en los m\u00f3dulos de Gesti\u00f3n de servicios de TI (ITSM). Un usuario que est\u00e1 autenticado y tiene permisos de visualizaci\u00f3n para un ticket, puede ver los tickets de otra organizaci\u00f3n de la que no forma parte. Los usuarios con los siguientes permisos son aplicables: 1. El permiso `view_ticket_change` puede ver los tickets de cambio de las organizaciones de las que no forma parte. 2. El permiso `view_ticket_incident` puede ver los tickets de incidentes de las organizaciones de las que no forma parte. 3. El permiso `view_ticket_request` puede ver los tickets de solicitud de las organizaciones de las que no forma parte. 4. El permiso `view_ticket_problem` puede ver los tickets de problemas de las organizaciones de las que no forma parte. El acceso para ver los tickets de diferentes organizaciones solo es aplicable cuando se navega por los puntos finales de la API para los tickets en cuesti\u00f3n. La interfaz de usuario de Centurion no se ve afectada. Las tareas del proyecto, aunque sean un \"tipo de ticket\", tampoco se ven afectadas. Este problema se ha solucionado en la versi\u00f3n 1.3.1 y se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n pueden eliminar los permisos de visualizaci\u00f3n de tickets, lo que aliviar\u00eda esta vulnerabilidad. Si esto no se considera viable, se recomienda actualizar la versi\u00f3n."
}
],
"id": "CVE-2024-53855",
"lastModified": "2025-09-23T13:05:09.697",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-27T19:15:33.563",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/399"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/399/commits/61f34876ed0f8362f7185bd5eecfc830a9de5cb0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/nofusscomputing/centurion_erp/releases/tag/1.3.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-h9q2-fcc6-r65c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-653"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-49373
Vulnerability from fkie_nvd - Published: 2024-10-22 16:15 - Updated: 2024-10-30 21:16
Severity ?
4.1 (Medium) - CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nofusscomputing | centurion_erp | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nofusscomputing:centurion_erp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D4A55D5-C672-4ED6-B9F6-A93AFFE1990C",
"versionEndExcluding": "1.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem."
},
{
"lang": "es",
"value": " No Fuss Computing Centurion ERP es un software de planificaci\u00f3n de recursos empresariales (ERP) de c\u00f3digo abierto. Antes de la versi\u00f3n 1.2.1, un usuario autenticado pod\u00eda ver proyectos dentro de organizaciones de las que no formaba parte. La versi\u00f3n 1.2.1 soluciona el problema."
}
],
"id": "CVE-2024-49373",
"lastModified": "2024-10-30T21:16:59.213",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-22T16:15:08.860",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/358"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-653"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-58156 (GCVE-0-2025-58156)
Vulnerability from cvelistv5 – Published: 2025-08-29 21:40 – Updated: 2025-09-02 19:22
VLAI?
Title
Centurion ERP users can view hashed authentication tokens that belong to other users
Summary
Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nofusscomputing | centurion_erp |
Affected:
>= 1.12.0, < 1.21.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T19:22:11.950327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T19:22:22.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centurion_erp",
"vendor": "nofusscomputing",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 1.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T21:40:16.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcg"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/pull/974",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/974"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34"
}
],
"source": {
"advisory": "GHSA-x75j-cm35-5qcg",
"discovery": "UNKNOWN"
},
"title": "Centurion ERP users can view hashed authentication tokens that belong to other users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58156",
"datePublished": "2025-08-29T21:40:16.813Z",
"dateReserved": "2025-08-27T13:34:56.185Z",
"dateUpdated": "2025-09-02T19:22:22.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53855 (GCVE-0-2024-53855)
Vulnerability from cvelistv5 – Published: 2024-11-27 18:27 – Updated: 2024-11-27 19:32
VLAI?
Title
User can view tickets from organizations they're not apart of in centurion_erp
Summary
Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.
Severity ?
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nofusscomputing | centurion_erp |
Affected:
>= 1.2.0, < 1.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T19:23:43.116745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T19:32:45.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centurion_erp",
"vendor": "nofusscomputing",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a \"ticket type\" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653: Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T18:27:04.960Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-h9q2-fcc6-r65c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-h9q2-fcc6-r65c"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/pull/399",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/399"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/pull/399/commits/61f34876ed0f8362f7185bd5eecfc830a9de5cb0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/399/commits/61f34876ed0f8362f7185bd5eecfc830a9de5cb0"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/releases/tag/1.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/releases/tag/1.3.1"
}
],
"source": {
"advisory": "GHSA-h9q2-fcc6-r65c",
"discovery": "UNKNOWN"
},
"title": "User can view tickets from organizations they\u0027re not apart of in centurion_erp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53855",
"datePublished": "2024-11-27T18:27:04.960Z",
"dateReserved": "2024-11-22T17:30:02.142Z",
"dateUpdated": "2024-11-27T19:32:45.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49373 (GCVE-0-2024-49373)
Vulnerability from cvelistv5 – Published: 2024-10-22 15:58 – Updated: 2024-10-22 17:13
VLAI?
Title
Centurion ERP user can view projects from organizations they're not apart of
Summary
No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem.
Severity ?
4.1 (Medium)
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nofusscomputing | centurion_erp |
Affected:
< 1.2.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T17:09:37.342042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T17:13:39.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centurion_erp",
"vendor": "nofusscomputing",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653: Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:58:37.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/pull/358",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/358"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae"
}
],
"source": {
"advisory": "GHSA-5qmx-pr2f-qhj5",
"discovery": "UNKNOWN"
},
"title": "Centurion ERP user can view projects from organizations they\u0027re not apart of"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49373",
"datePublished": "2024-10-22T15:58:37.360Z",
"dateReserved": "2024-10-14T13:56:34.811Z",
"dateUpdated": "2024-10-22T17:13:39.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58156 (GCVE-0-2025-58156)
Vulnerability from nvd – Published: 2025-08-29 21:40 – Updated: 2025-09-02 19:22
VLAI?
Title
Centurion ERP users can view hashed authentication tokens that belong to other users
Summary
Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nofusscomputing | centurion_erp |
Affected:
>= 1.12.0, < 1.21.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T19:22:11.950327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T19:22:22.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centurion_erp",
"vendor": "nofusscomputing",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.12.0, \u003c 1.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T21:40:16.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-x75j-cm35-5qcg"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/pull/974",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/974"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/commit/332eb1075ad828e5c4c24caeaf5605259eb7ce34"
}
],
"source": {
"advisory": "GHSA-x75j-cm35-5qcg",
"discovery": "UNKNOWN"
},
"title": "Centurion ERP users can view hashed authentication tokens that belong to other users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58156",
"datePublished": "2025-08-29T21:40:16.813Z",
"dateReserved": "2025-08-27T13:34:56.185Z",
"dateUpdated": "2025-09-02T19:22:22.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53855 (GCVE-0-2024-53855)
Vulnerability from nvd – Published: 2024-11-27 18:27 – Updated: 2024-11-27 19:32
VLAI?
Title
User can view tickets from organizations they're not apart of in centurion_erp
Summary
Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a "ticket type" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended.
Severity ?
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nofusscomputing | centurion_erp |
Affected:
>= 1.2.0, < 1.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53855",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T19:23:43.116745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T19:32:45.198Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centurion_erp",
"vendor": "nofusscomputing",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centurion ERP (Enterprise Rescource Planning) is a simple application developed to provide open source IT management with a large emphasis on the IT Service Management (ITSM) modules. A user who is authenticated and has view permissions for a ticket, can view the tickets of another organization they are not apart of. Users with following permissions are applicable: 1. `view_ticket_change` permission can view change tickets from organizations they are not apart of. 2. `view_ticket_incident` permission can view incident tickets from organizations they are not apart of. 3. `view_ticket_request` permission can view request tickets from organizations they are not apart of. 4. `view_ticket_problem` permission can view problem tickets from organizations they are not apart of. The access to view the tickets from different organizations is only applicable when browsing the API endpoints for the tickets in question. The Centurion UI is not affected. Project Tasks, although a \"ticket type\" are also **Not** affected. This issue has been addressed in release version 1.3.1 and users are advised to upgrade. Users unable to upgrade may remove the ticket view permissions from users which would alleviate this vulnerability, if this is deemed not-viable, Upgrading is recommended."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653: Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T18:27:04.960Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-h9q2-fcc6-r65c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-h9q2-fcc6-r65c"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/pull/399",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/399"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/pull/399/commits/61f34876ed0f8362f7185bd5eecfc830a9de5cb0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/399/commits/61f34876ed0f8362f7185bd5eecfc830a9de5cb0"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/releases/tag/1.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/releases/tag/1.3.1"
}
],
"source": {
"advisory": "GHSA-h9q2-fcc6-r65c",
"discovery": "UNKNOWN"
},
"title": "User can view tickets from organizations they\u0027re not apart of in centurion_erp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53855",
"datePublished": "2024-11-27T18:27:04.960Z",
"dateReserved": "2024-11-22T17:30:02.142Z",
"dateUpdated": "2024-11-27T19:32:45.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49373 (GCVE-0-2024-49373)
Vulnerability from nvd – Published: 2024-10-22 15:58 – Updated: 2024-10-22 17:13
VLAI?
Title
Centurion ERP user can view projects from organizations they're not apart of
Summary
No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem.
Severity ?
4.1 (Medium)
CWE
- CWE-653 - Improper Isolation or Compartmentalization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nofusscomputing | centurion_erp |
Affected:
< 1.2.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T17:09:37.342042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T17:13:39.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centurion_erp",
"vendor": "nofusscomputing",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653: Improper Isolation or Compartmentalization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T15:58:37.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nofusscomputing/centurion_erp/security/advisories/GHSA-5qmx-pr2f-qhj5"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/pull/358",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/pull/358"
},
{
"name": "https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nofusscomputing/centurion_erp/commit/c3a4685200faa060167d4fde86e806dc91eddcae"
}
],
"source": {
"advisory": "GHSA-5qmx-pr2f-qhj5",
"discovery": "UNKNOWN"
},
"title": "Centurion ERP user can view projects from organizations they\u0027re not apart of"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-49373",
"datePublished": "2024-10-22T15:58:37.360Z",
"dateReserved": "2024-10-14T13:56:34.811Z",
"dateUpdated": "2024-10-22T17:13:39.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}