Search criteria
140 vulnerabilities found for web by Centreon
CERTFR-2026-AVI-0015
Vulnerability from certfr_avis - Published: 2026-01-08 - Updated: 2026-01-08
De multiples vulnérabilités ont été découvertes dans les produits Centreon. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection SQL (SQLi).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Centreon | DSM | DSM versions 23.10.x antérieures à 23.10.5 | ||
| Centreon | DSM | DSM versions 25.10.x antérieures à 25.10.1 | ||
| Centreon | DSM | DSM versions 24.10.x antérieures à 24.10.4 | ||
| Centreon | Web | Web versions 25.10.x antérieures à 25.10.2 | ||
| Centreon | AWIE | AWIE versions 24.10.x antérieures à 24.10.3 | ||
| Centreon | Web | Web versions 24.10.x antérieures à 24.10.15 | ||
| Centreon | AWIE | AWIE versions 24.04.x antérieures à 24.04.3 | ||
| Centreon | Web | Web versions 23.10.x antérieures à 23.10.29 | ||
| Centreon | DSM | DSM versions 24.04.x antérieures à 24.04.8 | ||
| Centreon | AWIE | AWIE versions 25.10.x antérieures à 25.10.2 | ||
| Centreon | Web | Web versions 24.04.x antérieures à 24.04.19 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "DSM versions 23.10.x ant\u00e9rieures \u00e0 23.10.5",
"product": {
"name": "DSM",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "DSM versions 25.10.x ant\u00e9rieures \u00e0 25.10.1",
"product": {
"name": "DSM",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "DSM versions 24.10.x ant\u00e9rieures \u00e0 24.10.4",
"product": {
"name": "DSM",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 25.10.x ant\u00e9rieures \u00e0 25.10.2",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "AWIE versions 24.10.x ant\u00e9rieures \u00e0 24.10.3",
"product": {
"name": "AWIE",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 24.10.x ant\u00e9rieures \u00e0 24.10.15",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "AWIE versions 24.04.x ant\u00e9rieures \u00e0 24.04.3",
"product": {
"name": "AWIE",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 23.10.x ant\u00e9rieures \u00e0 23.10.29",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "DSM versions 24.04.x ant\u00e9rieures \u00e0 24.04.8",
"product": {
"name": "DSM",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "AWIE versions 25.10.x ant\u00e9rieures \u00e0 25.10.2",
"product": {
"name": "AWIE",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 24.04.x ant\u00e9rieures \u00e0 24.04.19",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-15026",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15026"
},
{
"name": "CVE-2025-12513",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12513"
},
{
"name": "CVE-2025-13056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13056"
},
{
"name": "CVE-2025-5965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5965"
},
{
"name": "CVE-2025-12519",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12519"
},
{
"name": "CVE-2025-15029",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15029"
},
{
"name": "CVE-2025-12511",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12511"
}
],
"initial_release_date": "2026-01-08T00:00:00",
"last_revision_date": "2026-01-08T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0015",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-08T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Centreon. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection SQL (SQLi).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Centreon",
"vendor_advisories": [
{
"published_at": "2026-01-08",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-15026-centreon-awie-critical-severity-5357",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357"
},
{
"published_at": "2026-01-08",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-5965-centreon-web-high-severity-5362",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5965-centreon-web-high-severity-5362"
},
{
"published_at": "2026-01-08",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-12513-centreon-web-medium-severity-5360",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12513-centreon-web-medium-severity-5360"
},
{
"published_at": "2026-01-08",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-15029-centreon-awie-critical-severity-5356",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356"
},
{
"published_at": "2026-01-08",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-12519-centreon-web-medium-severity-5359",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359"
},
{
"published_at": "2026-01-08",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-13056-centreon-web-medium-severity-5358",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-13056-centreon-web-medium-severity-5358"
},
{
"published_at": "2026-01-08",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-12511-centreon-dsm-medium-severity-5361",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12511-centreon-dsm-medium-severity-5361"
}
]
}
CERTFR-2025-AVI-1127
Vulnerability from certfr_avis - Published: 2025-12-19 - Updated: 2025-12-19
De multiples vulnérabilités ont été découvertes dans Centreon Web. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Centreon web versions 25.10.x sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-43864",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43864"
},
{
"name": "CVE-2025-43865",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-43865"
}
],
"initial_release_date": "2025-12-19T00:00:00",
"last_revision_date": "2025-12-19T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1127",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Centreon Web. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Centreon Web",
"vendor_advisories": [
{
"published_at": "2025-12-18",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon centreon-web-high-severity-5307",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-high-severity-5307"
}
]
}
CERTFR-2025-AVI-0943
Vulnerability from certfr_avis - Published: 2025-10-31 - Updated: 2025-10-31
De multiples vulnérabilités ont été découvertes dans les produits Centreon. Elles permettent à un attaquant de provoquer une élévation de privilèges et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Centreon | Web | Web versions 24.04.x antérieures à 24.04.16 | ||
| Centreon | MBI | MBI versions 24.04.x antérieures à 24.04.9 | ||
| Centreon | MBI | MBI versions 23.10.x antérieures à 23.10.15 | ||
| Centreon | Web | Web versions 24.10.x antérieures à 24.10.9 | ||
| Centreon | MBI | MBI versions 24.10.x antérieures à 24.10.6 | ||
| Centreon | Web | Web versions 23.10.x antérieures à 23.10.26 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Web versions 24.04.x ant\u00e9rieures \u00e0 24.04.16",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "MBI versions 24.04.x ant\u00e9rieures \u00e0 24.04.9",
"product": {
"name": "MBI",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "MBI versions 23.10.x ant\u00e9rieures \u00e0 23.10.15",
"product": {
"name": "MBI",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 24.10.x ant\u00e9rieures \u00e0 24.10.9",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "MBI versions 24.10.x ant\u00e9rieures \u00e0 24.10.6",
"product": {
"name": "MBI",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 23.10.x ant\u00e9rieures \u00e0 23.10.26",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-8432",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8432"
},
{
"name": "CVE-2025-10023",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-10023"
}
],
"initial_release_date": "2025-10-31T00:00:00",
"last_revision_date": "2025-10-31T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0943",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-31T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Centreon. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Centreon",
"vendor_advisories": [
{
"published_at": "2025-10-30",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-10023-centreon-web-all-versions-medium-severity-5179",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-10023-centreon-web-all-versions-medium-severity-5179"
},
{
"published_at": "2025-10-30",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-8432-centreon-mbi-high-severity-5180",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8432-centreon-mbi-high-severity-5180"
}
]
}
CERTFR-2025-AVI-0914
Vulnerability from certfr_avis - Published: 2025-10-23 - Updated: 2025-10-23
De multiples vulnérabilités ont été découvertes dans les produits Centreon. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une injection de code indirecte à distance (XSS) et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Web versions 24.10.x ant\u00e9rieures \u00e0 24.10.13",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 24.04.x ant\u00e9rieures \u00e0 24.04.18",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 23.10.x ant\u00e9rieures \u00e0 23.10.28",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-54893",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54893"
},
{
"name": "CVE-2025-54892",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54892"
},
{
"name": "CVE-2025-5946",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5946"
},
{
"name": "CVE-2016-10744",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10744"
},
{
"name": "CVE-2025-54889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54889"
},
{
"name": "CVE-2025-8430",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8430"
},
{
"name": "CVE-2025-8429",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8429"
},
{
"name": "CVE-2025-8459",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8459"
},
{
"name": "CVE-2025-8428",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8428"
},
{
"name": "CVE-2025-54891",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54891"
}
],
"initial_release_date": "2025-10-23T00:00:00",
"last_revision_date": "2025-10-23T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0914",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-23T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Centreon. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une injection de code indirecte \u00e0 distance (XSS) et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Centreon",
"vendor_advisories": [
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-8430-centreon-web-all-versions-medium-severity-5118",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8430-centreon-web-all-versions-medium-severity-5118"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-54893-centreon-web-all-versions-medium-severity-5120",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54893-centreon-web-all-versions-medium-severity-5120"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2016-10744-centreon-web-all-versions-medium-severity-5106",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2016-10744-centreon-web-all-versions-medium-severity-5106"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-8429-centreon-web-all-versions-medium-severity-5119",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8429-centreon-web-all-versions-medium-severity-5119"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-8459-centreon-web-all-versions-high-severity-5117",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8459-centreon-web-all-versions-high-severity-5117"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-8428-centreon-web-all-versions-medium-severity-5103",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8428-centreon-web-all-versions-medium-severity-5103"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-5946-centreon-web-all-versions-high-severity-5104",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5946-centreon-web-all-versions-high-severity-5104"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-54889-centreon-web-all-versions-medium-severity-5123",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54889-centreon-web-all-versions-medium-severity-5123"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-54891-centreon-web-all-versions-medium-severity-5122",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54891-centreon-web-all-versions-medium-severity-5122"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon centreon-web-all-versions-medium-severity-5105",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-all-versions-medium-severity-5105"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-54892-centreon-web-all-versions-medium-severity-5121",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54892-centreon-web-all-versions-medium-severity-5121"
}
]
}
CERTFR-2025-AVI-0900
Vulnerability from certfr_avis - Published: 2025-10-22 - Updated: 2025-10-22
De multiples vulnérabilités ont été découvertes dans Centreon Web. Elles permettent à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Web versions 24.10.x ant\u00e9rieures \u00e0 24.10.13",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 24.04.x ant\u00e9rieures \u00e0 24.04.18",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 23.10.x ant\u00e9rieures \u00e0 23.10.28",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-54889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54889"
},
{
"name": "CVE-2025-54891",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54891"
}
],
"initial_release_date": "2025-10-22T00:00:00",
"last_revision_date": "2025-10-22T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0900",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Centreon Web. Elles permettent \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Centreon Web",
"vendor_advisories": [
{
"published_at": "2025-10-21",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-54891-centreon-web-all-versions-medium-severity-5122",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54891-centreon-web-all-versions-medium-severity-5122"
},
{
"published_at": "2025-10-21",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-54889-centreon-web-all-versions-medium-severity-5123",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54889-centreon-web-all-versions-medium-severity-5123"
}
]
}
CERTFR-2025-AVI-0728
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Centreon Web. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Web versions 24.04.x ant\u00e9rieures \u00e0 24.04.17",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 24.10.x ant\u00e9rieures \u00e0 24.10.11",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions ant\u00e9rieures \u00e0 23.10.27",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [],
"links": [],
"reference": "CERTFR-2025-AVI-0728",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-08-25T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Centreon Web. Elle permet \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Vuln\u00e9rabilit\u00e9 dans Centreon Web",
"vendor_advisories": [
{
"published_at": "2025-08-25",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon centreon-web-all-versions-high-severity-4935",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-all-versions-high-severity-4935"
}
]
}
CERTFR-2025-AVI-0662
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Centreon. Certaines d'entre elles permettent à un attaquant de provoquer une injection SQL (SQLi), un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Centreon | License Manager | License Manager versions antérieures 24.10.x à 24.10.3 | ||
| Centreon | License Manager | License Manager versions antérieures à 23.10.6 | ||
| Centreon | Web | Centreon versions antérieures à 23.10.26 | ||
| Centreon | Web | Centreon versions antérieures 24.04.x à 24.04.16 | ||
| Centreon | License Manager | License Manager versions antérieures 24.04.x à 24.04.5 | ||
| Centreon | Web | Centreon versions antérieures 24.10.x à 24.10.9 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "License Manager versions ant\u00e9rieures 24.10.x \u00e0 24.10.3",
"product": {
"name": "License Manager",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "License Manager versions ant\u00e9rieures \u00e0 23.10.6",
"product": {
"name": "License Manager",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Centreon versions ant\u00e9rieures \u00e0 23.10.26",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Centreon versions ant\u00e9rieures 24.04.x \u00e0 24.04.16",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "License Manager versions ant\u00e9rieures 24.04.x \u00e0 24.04.5",
"product": {
"name": "License Manager",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Centreon versions ant\u00e9rieures 24.10.x \u00e0 24.10.9",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-4650",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4650"
},
{
"name": "CVE-2025-6791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6791"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0662",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-08-07T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Centreon. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une injection SQL (SQLi), un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Centreon",
"vendor_advisories": [
{
"published_at": "2025-08-07",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-6791-centreon-web-all-versions-high-severity-4900",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-6791-centreon-web-all-versions-high-severity-4900"
},
{
"published_at": "2025-08-07",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-4650-centreon-web-all-versions-high-severity-4901",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-4650-centreon-web-all-versions-high-severity-4901"
},
{
"published_at": "2025-08-07",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon centreon-web-all-versions-high-severity-4899",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-all-versions-high-severity-4899"
},
{
"published_at": "2025-08-07",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon centreon-license-manager-all-versions-high-severity-4904",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-license-manager-all-versions-high-severity-4904"
}
]
}
CERTFR-2025-AVI-0493
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Centreon. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Centreon | MBI | MBI Server versions antérieures à 23.04.23 | ||
| Centreon | Map | Map versions antérieures à 23.04.23 | ||
| Centreon | Map | Map versions antérieures à 24.10.5 | ||
| Centreon | MBI | MBI Engine versions antérieures à 24.10.22 | ||
| Centreon | MBI | MBI Server versions antérieures à 23.10.22 | ||
| Centreon | Web | Web versions antérieures à 23.04.27 | ||
| Centreon | Web | Web versions antérieures à 23.10.22 | ||
| Centreon | Map | Map versions antérieures à 23.10.19 | ||
| Centreon | Map | Map versions antérieures à 24.04.11 | ||
| Centreon | MBI | MBI Engine versions antérieures à 23.04.23 | ||
| Centreon | open tickets | open tickets versions antérieures à 23.10.3 | ||
| Centreon | open tickets | open tickets versions antérieures à 23.04.6 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "MBI Server versions ant\u00e9rieures \u00e0 23.04.23",
"product": {
"name": "MBI",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Map versions ant\u00e9rieures \u00e0 23.04.23",
"product": {
"name": "Map",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Map versions ant\u00e9rieures \u00e0 24.10.5",
"product": {
"name": "Map",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "MBI Engine versions ant\u00e9rieures \u00e0 24.10.22",
"product": {
"name": "MBI",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "MBI Server versions ant\u00e9rieures \u00e0 23.10.22",
"product": {
"name": "MBI",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions ant\u00e9rieures \u00e0 23.04.27",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions ant\u00e9rieures \u00e0 23.10.22",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Map versions ant\u00e9rieures \u00e0 23.10.19",
"product": {
"name": "Map",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Map versions ant\u00e9rieures \u00e0 24.04.11",
"product": {
"name": "Map",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "MBI Engine versions ant\u00e9rieures \u00e0 23.04.23",
"product": {
"name": "MBI",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "open tickets versions ant\u00e9rieures \u00e0 23.10.3",
"product": {
"name": "open tickets",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "open tickets versions ant\u00e9rieures \u00e0 23.04.6",
"product": {
"name": "open tickets",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-46337",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46337"
},
{
"name": "CVE-2024-55573",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-55573"
},
{
"name": "CVE-2023-28447",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28447"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0493",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-06-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Centreon. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Centreon",
"vendor_advisories": [
{
"published_at": "2025-05-12",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2023-28447-centreon-high-severity-4430",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2023-28447-centreon-high-severity-4430"
},
{
"published_at": "2025-06-10",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2022-46337-centreon-mbi-critical-severity-4744",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2022-46337-centreon-mbi-critical-severity-4744"
},
{
"published_at": "2025-05-12",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon centreon-map-critical-severity-4650",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-map-critical-severity-4650"
},
{
"published_at": "2025-05-12",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2022-46337-centreon-mbi-critical-severity-4649",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2022-46337-centreon-mbi-critical-severity-4649"
},
{
"published_at": "2025-05-12",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon updated-cve-2023-28447-centreon-high-severity-4652",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/updated-cve-2023-28447-centreon-high-severity-4652"
}
]
}
CERTFR-2024-AVI-1011
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Centreon Web. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Centreon | Web | Web versions 24.10.x antérieures à 24.10.0 | ||
| Centreon | Web | Web versions 23.04.x antérieures à 23.04.23 | ||
| Centreon | Web | Web versions 23.10.x antérieures à 23.10.18 | ||
| Centreon | Web | Web versions 22.10.x antérieures à 22.10.26 | ||
| Centreon | Web | Web versions 24.04.x antérieures à 24.04.8 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Web versions 24.10.x ant\u00e9rieures \u00e0 24.10.0",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 23.04.x ant\u00e9rieures \u00e0 23.04.23",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 23.10.x ant\u00e9rieures \u00e0 23.10.18",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 22.10.x ant\u00e9rieures \u00e0 22.10.26",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
},
{
"description": "Web versions 24.04.x ant\u00e9rieures \u00e0 24.04.8",
"product": {
"name": "Web",
"vendor": {
"name": "Centreon",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-47863",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47863"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-1011",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-11-22T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Centreon Web. Elle permet \u00e0 un attaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).",
"title": "Vuln\u00e9rabilit\u00e9 dans Centreon Web",
"vendor_advisories": [
{
"published_at": "2024-11-22",
"title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2024-47863-centreon-web-medium-severity-4059?postid=14456#post14456",
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-47863-centreon-web-medium-severity-4059?postid=14456#post14456"
}
]
}
CVE-2025-6791 (GCVE-0-2025-6791)
Vulnerability from cvelistv5 – Published: 2025-08-22 18:56 – Updated: 2025-09-16 19:27
VLAI?
Title
Second order SQL injection available to user with low privilege
Summary
In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.This issue affects web: 24.10.0, 24.04.0, 23.10.0.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
SpawnZii by YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T20:11:47.445230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T20:12:00.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Monitoring event logs"
],
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.9",
"status": "affected",
"version": "24.10.0",
"versionType": "custom"
},
{
"lessThan": "24.04.16",
"status": "affected",
"version": "24.04.0",
"versionType": "custom"
},
{
"lessThan": "23.10.26",
"status": "affected",
"version": "23.10.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SpawnZii by YesWeHack"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.\u003cp\u003eThis issue affects web: 24.10.0, 24.04.0, 23.10.0.\u003c/p\u003e"
}
],
"value": "In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.This issue affects web: 24.10.0, 24.04.0, 23.10.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:27:33.378Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-6791-centreon-web-all-versions-high-severity-4900"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Second order SQL injection available to user with low privilege",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-6791",
"datePublished": "2025-08-22T18:56:28.027Z",
"dateReserved": "2025-06-27T14:34:22.260Z",
"dateUpdated": "2025-09-16T19:27:33.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4650 (GCVE-0-2025-4650)
Vulnerability from cvelistv5 – Published: 2025-08-22 18:50 – Updated: 2025-08-22 19:01
VLAI?
Title
User with high privileges is able to introduce a SQLi using the Meta Service indicator page
Summary
User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
SpawnZii for YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T19:01:00.491601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T19:01:11.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Meta service indicator page"
],
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.9",
"status": "affected",
"version": "24.10.0",
"versionType": "semver"
},
{
"lessThan": "24.04.16",
"status": "affected",
"version": "24.04.0",
"versionType": "semver"
},
{
"lessThan": "23.10.26",
"status": "affected",
"version": "23.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SpawnZii for YesWeHack"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.\u003cp\u003eThis issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26.\u003c/p\u003e"
}
],
"value": "User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T18:56:49.007Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-4650-centreon-web-all-versions-high-severity-4901"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User with high privileges is able to introduce a SQLi using the Meta Service indicator page",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4650",
"datePublished": "2025-08-22T18:50:42.034Z",
"dateReserved": "2025-05-13T11:40:55.019Z",
"dateUpdated": "2025-08-22T19:01:11.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4649 (GCVE-0-2025-4649)
Vulnerability from cvelistv5 – Published: 2025-05-13 11:40 – Updated: 2025-10-15 13:05
VLAI?
Title
ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs.
Summary
Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation.
ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs.
This issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26.
Severity ?
4.9 (Medium)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Benoit Poulet
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:04:27.568609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:04:49.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.4",
"status": "affected",
"version": "24.10.3",
"versionType": "semver"
},
{
"lessThan": "24.04.10",
"status": "affected",
"version": "24.04.09",
"versionType": "semver"
},
{
"lessThan": "23.10.21",
"status": "affected",
"version": "23.10.19",
"versionType": "semver"
},
{
"lessThan": "23.04.26",
"status": "affected",
"version": "23.04.24",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benoit Poulet"
}
],
"datePublic": "2025-02-10T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACL are not correctly taken into account in the display of the \"event logs\" page. This page requiring, high privileges, will display all available logs.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26.\u003c/p\u003e"
}
],
"value": "Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation.\n\n\n\nACL are not correctly taken into account in the display of the \"event logs\" page. This page requiring, high privileges, will display all available logs.\nThis issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T13:05:23.113Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-medium-severity-4349"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "ACL are not correctly taken into account in the display of the \"event logs\" page. This page requiring, high privileges, will display all available logs.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4649",
"datePublished": "2025-05-13T11:40:23.198Z",
"dateReserved": "2025-05-13T09:47:58.210Z",
"dateUpdated": "2025-10-15T13:05:23.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4648 (GCVE-0-2025-4648)
Vulnerability from cvelistv5 – Published: 2025-05-13 09:45 – Updated: 2025-10-08 10:07
VLAI?
Title
A user with elevated privileges can inject XSS by altering the content of a SVG media during the submit request.
Summary
The content of a SVG file, received as input
in Centreon web, was not properly checked. Allows Reflected XSS.
A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.
This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.
Severity ?
8.4 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
SpawnZii working with YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:08:07.876396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:08:24.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.5",
"status": "affected",
"version": "24.10.0",
"versionType": "semver"
},
{
"lessThan": "24.04.11",
"status": "affected",
"version": "24.04.0",
"versionType": "semver"
},
{
"lessThan": "23.10.22",
"status": "affected",
"version": "23.10.0",
"versionType": "semver"
},
{
"lessThan": "23.04.27",
"status": "affected",
"version": "23.04.0",
"versionType": "semver"
},
{
"lessThan": "22.10.29",
"status": "affected",
"version": "22.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SpawnZii working with YesWeHack"
}
],
"datePublic": "2025-03-12T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The content of a SVG file, received as input \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein Centreon web\u003c/span\u003e, was not properly checked. Allows Reflected XSS.\u003cbr\u003eA user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.\u003cbr\u003e\u003cp\u003eThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.\u003c/p\u003e"
}
],
"value": "The content of a SVG file, received as input \n\nin Centreon web, was not properly checked. Allows Reflected XSS.\nA user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.\nThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T10:07:58.081Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55575-centreon-web-high-severity-4434"
},
{
"url": "https://github.com/centreon/centreon/releases"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A user with elevated privileges can inject XSS by altering the content of a SVG media during the submit request.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4648",
"datePublished": "2025-05-13T09:45:41.519Z",
"dateReserved": "2025-05-13T09:32:38.704Z",
"dateUpdated": "2025-10-08T10:07:58.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4647 (GCVE-0-2025-4647)
Vulnerability from cvelistv5 – Published: 2025-05-13 09:31 – Updated: 2025-05-13 13:08
VLAI?
Title
A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows Reflected XSS.
A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG.
This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.
Severity ?
8.4 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
SpawnZii working with YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4647",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:08:16.035524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:08:24.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.5",
"status": "affected",
"version": "24.10.0",
"versionType": "semver"
},
{
"lessThan": "24.04.11",
"status": "affected",
"version": "24.04.0",
"versionType": "semver"
},
{
"lessThan": "23.10.22",
"status": "affected",
"version": "23.10.0",
"versionType": "semver"
},
{
"lessThan": "23.04.27",
"status": "affected",
"version": "23.04.0",
"versionType": "semver"
},
{
"lessThan": "22.10.29",
"status": "affected",
"version": "22.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SpawnZii working with YesWeHack"
}
],
"datePublic": "2025-03-12T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Centreon web allows Reflected XSS.\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Centreon web allows Reflected XSS.\n\nA user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG.\n\nThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T09:31:17.529Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55574-centreon-web-high-severity-4435"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4647",
"datePublished": "2025-05-13T09:31:17.529Z",
"dateReserved": "2025-05-13T09:25:32.395Z",
"dateUpdated": "2025-05-13T13:08:24.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4646 (GCVE-0-2025-4646)
Vulnerability from cvelistv5 – Published: 2025-05-13 09:17 – Updated: 2025-10-08 10:00
VLAI?
Title
A high privilege user is able to create and use a valid admin API token in centreon-web
Summary
Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
Severity ?
7.2 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Floerer from YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4646",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:08:49.597644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:09:27.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.04.10",
"status": "affected",
"version": "24.04.0",
"versionType": "semver"
},
{
"lessThan": "24.10.4",
"status": "affected",
"version": "24.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Floerer from YesWeHack"
}
],
"datePublic": "2025-03-10T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.\u003cp\u003eThis issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T10:00:43.607Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55572-centreon-web-high-severity-4460"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A high privilege user is able to create and use a valid admin API token in centreon-web",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4646",
"datePublished": "2025-05-13T09:17:35.146Z",
"dateReserved": "2025-05-13T08:17:11.709Z",
"dateUpdated": "2025-10-08T10:00:43.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6791 (GCVE-0-2025-6791)
Vulnerability from nvd – Published: 2025-08-22 18:56 – Updated: 2025-09-16 19:27
VLAI?
Title
Second order SQL injection available to user with low privilege
Summary
In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.This issue affects web: 24.10.0, 24.04.0, 23.10.0.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
SpawnZii by YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6791",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T20:11:47.445230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T20:12:00.289Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Monitoring event logs"
],
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.9",
"status": "affected",
"version": "24.10.0",
"versionType": "custom"
},
{
"lessThan": "24.04.16",
"status": "affected",
"version": "24.04.0",
"versionType": "custom"
},
{
"lessThan": "23.10.26",
"status": "affected",
"version": "23.10.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SpawnZii by YesWeHack"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.\u003cp\u003eThis issue affects web: 24.10.0, 24.04.0, 23.10.0.\u003c/p\u003e"
}
],
"value": "In the monitoring event logs page, it is possible to alter the http request to insert a reflect payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection.This issue affects web: 24.10.0, 24.04.0, 23.10.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:27:33.378Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-6791-centreon-web-all-versions-high-severity-4900"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Second order SQL injection available to user with low privilege",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-6791",
"datePublished": "2025-08-22T18:56:28.027Z",
"dateReserved": "2025-06-27T14:34:22.260Z",
"dateUpdated": "2025-09-16T19:27:33.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4650 (GCVE-0-2025-4650)
Vulnerability from nvd – Published: 2025-08-22 18:50 – Updated: 2025-08-22 19:01
VLAI?
Title
User with high privileges is able to introduce a SQLi using the Meta Service indicator page
Summary
User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
SpawnZii for YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T19:01:00.491601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T19:01:11.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Meta service indicator page"
],
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.9",
"status": "affected",
"version": "24.10.0",
"versionType": "semver"
},
{
"lessThan": "24.04.16",
"status": "affected",
"version": "24.04.0",
"versionType": "semver"
},
{
"lessThan": "23.10.26",
"status": "affected",
"version": "23.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SpawnZii for YesWeHack"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.\u003cp\u003eThis issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26.\u003c/p\u003e"
}
],
"value": "User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T18:56:49.007Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-4650-centreon-web-all-versions-high-severity-4901"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User with high privileges is able to introduce a SQLi using the Meta Service indicator page",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4650",
"datePublished": "2025-08-22T18:50:42.034Z",
"dateReserved": "2025-05-13T11:40:55.019Z",
"dateUpdated": "2025-08-22T19:01:11.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4649 (GCVE-0-2025-4649)
Vulnerability from nvd – Published: 2025-05-13 11:40 – Updated: 2025-10-15 13:05
VLAI?
Title
ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs.
Summary
Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation.
ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs.
This issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26.
Severity ?
4.9 (Medium)
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Benoit Poulet
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4649",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:04:27.568609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:04:49.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.4",
"status": "affected",
"version": "24.10.3",
"versionType": "semver"
},
{
"lessThan": "24.04.10",
"status": "affected",
"version": "24.04.09",
"versionType": "semver"
},
{
"lessThan": "23.10.21",
"status": "affected",
"version": "23.10.19",
"versionType": "semver"
},
{
"lessThan": "23.04.26",
"status": "affected",
"version": "23.04.24",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benoit Poulet"
}
],
"datePublic": "2025-02-10T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation.\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eACL are not correctly taken into account in the display of the \"event logs\" page. This page requiring, high privileges, will display all available logs.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26.\u003c/p\u003e"
}
],
"value": "Improper Handling of Exceptional Conditions vulnerability in Centreon web allows Privilege Escalation.\n\n\n\nACL are not correctly taken into account in the display of the \"event logs\" page. This page requiring, high privileges, will display all available logs.\nThis issue affects web: from 24.10.3 before 24.10.4, from 24.04.09 before 24.04.10, from 23.10.19 before 23.10.21, from 23.04.24 before 23.04.26."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T13:05:23.113Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-medium-severity-4349"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "ACL are not correctly taken into account in the display of the \"event logs\" page. This page requiring, high privileges, will display all available logs.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4649",
"datePublished": "2025-05-13T11:40:23.198Z",
"dateReserved": "2025-05-13T09:47:58.210Z",
"dateUpdated": "2025-10-15T13:05:23.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4648 (GCVE-0-2025-4648)
Vulnerability from nvd – Published: 2025-05-13 09:45 – Updated: 2025-10-08 10:07
VLAI?
Title
A user with elevated privileges can inject XSS by altering the content of a SVG media during the submit request.
Summary
The content of a SVG file, received as input
in Centreon web, was not properly checked. Allows Reflected XSS.
A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.
This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.
Severity ?
8.4 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
Credits
SpawnZii working with YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:08:07.876396Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:08:24.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.5",
"status": "affected",
"version": "24.10.0",
"versionType": "semver"
},
{
"lessThan": "24.04.11",
"status": "affected",
"version": "24.04.0",
"versionType": "semver"
},
{
"lessThan": "23.10.22",
"status": "affected",
"version": "23.10.0",
"versionType": "semver"
},
{
"lessThan": "23.04.27",
"status": "affected",
"version": "23.04.0",
"versionType": "semver"
},
{
"lessThan": "22.10.29",
"status": "affected",
"version": "22.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SpawnZii working with YesWeHack"
}
],
"datePublic": "2025-03-12T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The content of a SVG file, received as input \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ein Centreon web\u003c/span\u003e, was not properly checked. Allows Reflected XSS.\u003cbr\u003eA user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.\u003cbr\u003e\u003cp\u003eThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.\u003c/p\u003e"
}
],
"value": "The content of a SVG file, received as input \n\nin Centreon web, was not properly checked. Allows Reflected XSS.\nA user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.\nThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T10:07:58.081Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55575-centreon-web-high-severity-4434"
},
{
"url": "https://github.com/centreon/centreon/releases"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A user with elevated privileges can inject XSS by altering the content of a SVG media during the submit request.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4648",
"datePublished": "2025-05-13T09:45:41.519Z",
"dateReserved": "2025-05-13T09:32:38.704Z",
"dateUpdated": "2025-10-08T10:07:58.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4647 (GCVE-0-2025-4647)
Vulnerability from nvd – Published: 2025-05-13 09:31 – Updated: 2025-05-13 13:08
VLAI?
Title
A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon web allows Reflected XSS.
A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG.
This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.
Severity ?
8.4 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
SpawnZii working with YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4647",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:08:16.035524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:08:24.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.10.5",
"status": "affected",
"version": "24.10.0",
"versionType": "semver"
},
{
"lessThan": "24.04.11",
"status": "affected",
"version": "24.04.0",
"versionType": "semver"
},
{
"lessThan": "23.10.22",
"status": "affected",
"version": "23.10.0",
"versionType": "semver"
},
{
"lessThan": "23.04.27",
"status": "affected",
"version": "23.04.0",
"versionType": "semver"
},
{
"lessThan": "22.10.29",
"status": "affected",
"version": "22.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SpawnZii working with YesWeHack"
}
],
"datePublic": "2025-03-12T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Centreon web allows Reflected XSS.\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG.\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Centreon web allows Reflected XSS.\n\nA user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG.\n\nThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T09:31:17.529Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55574-centreon-web-high-severity-4435"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A user with elevated privileges can bypass sanitization measures by replacing the content of an existing SVG",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4647",
"datePublished": "2025-05-13T09:31:17.529Z",
"dateReserved": "2025-05-13T09:25:32.395Z",
"dateUpdated": "2025-05-13T13:08:24.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4646 (GCVE-0-2025-4646)
Vulnerability from nvd – Published: 2025-05-13 09:17 – Updated: 2025-10-08 10:00
VLAI?
Title
A high privilege user is able to create and use a valid admin API token in centreon-web
Summary
Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
Severity ?
7.2 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
Credits
Floerer from YesWeHack
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4646",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:08:49.597644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:09:27.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "web",
"vendor": "Centreon",
"versions": [
{
"lessThan": "24.04.10",
"status": "affected",
"version": "24.04.0",
"versionType": "semver"
},
{
"lessThan": "24.10.4",
"status": "affected",
"version": "24.10.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Floerer from YesWeHack"
}
],
"datePublic": "2025-03-10T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.\u003cp\u003eThis issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T10:00:43.607Z",
"orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"shortName": "Centreon"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55572-centreon-web-high-severity-4460"
},
{
"tags": [
"release-notes"
],
"url": "https://github.com/centreon/centreon/releases"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A high privilege user is able to create and use a valid admin API token in centreon-web",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
"assignerShortName": "Centreon",
"cveId": "CVE-2025-4646",
"datePublished": "2025-05-13T09:17:35.146Z",
"dateReserved": "2025-05-13T08:17:11.709Z",
"dateUpdated": "2025-10-08T10:00:43.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}