CVE-2018-11589

EUVD-2018-3614
Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
Affected Products (NVD)
VendorProductVersion
centreoncentreon
3.4.6
centreoncentreon_web
2.8.23
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.html
https://github.com/centreon/centreon/pull/6250
https://github.com/centreon/centreon/pull/6251
https://github.com/centreon/centreon/pull/6255
https://github.com/centreon/centreon/pull/6256
https://github.com/centreon/centreon/pull/6257
https://github.com/centreon/centreon/releases
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.html
https://github.com/centreon/centreon/pull/6250
https://github.com/centreon/centreon/pull/6251
https://github.com/centreon/centreon/pull/6255
https://github.com/centreon/centreon/pull/6256
https://github.com/centreon/centreon/pull/6257
https://github.com/centreon/centreon/releases