CVE-2025-4648

The content of a SVG file, received as input 

in Centreon web, was not properly checked. Allows Reflected XSS.
A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.
This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.4 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CentreonCNA
8.4 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
VendorProductVersion
centreoncentreon_web
22.10.0 ≤
𝑥
< 22.10.29
centreoncentreon_web
23.04.0 ≤
𝑥
< 23.04.27
centreoncentreon_web
23.10.0 ≤
𝑥
< 23.10.22
centreoncentreon_web
24.04.0 ≤
𝑥
< 24.04.11
centreoncentreon_web
24.10.0 ≤
𝑥
< 24.10.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55575-centreon-web-high-severity-4434