cbcvebase.
CVE-2014-3828
published 2014-10-23

CVE-2014-3828: Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.71%
99.4th percentile
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/.

Affected

2 ranges
VendorProductVersion rangeFixed in
merethiscentreon
merethiscentreon_enterprise_server

Detection & IOCsextracted from sources · hover to see the quote

pathinclude/views/graphs/graphStatus/displayServiceStatus.php
pathinclude/views/graphs/common/makeXML_ListMetrics.php
pathinclude/views/graphs/GetXmlTree.php
pathinclude/configuration/configObject/traps/GetXMLTrapsForVendor.php
pathinclude/common/javascript/commandGetArgs/cmdGetExample.php
command' UNION ALL SELECT 1,2,3,4,5,CHAR(59,<payload>,59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /**
command' or 'a'='a
  • Monitor GET requests to displayServiceStatus.php with a session_id parameter containing SQL injection patterns (e.g., single quotes, OR conditions, UNION SELECT statements).
  • Alert on HTTP responses from displayServiceStatus.php containing the string 'sh: graph: command not found' or 'sh: --imgformat: command not found', which indicate successful SQLi and command injection.
  • Alert on HTTP responses from displayServiceStatus.php containing the string 'sh: --imgformat: command not found', indicating successful command injection via UNION-based SQLi.
  • Detect UNION ALL SELECT payloads with CHAR() encoding in the template_id parameter of displayServiceStatus.php, used to inject OS commands via MySQL.
  • The exploit requires no authentication; detect unauthenticated GET requests to /centreon/include/views/graphs/graphStatus/displayServiceStatus.php with suspicious session_id or template_id values.
  • ·Exploitation only succeeds if at least one valid session exists in the centreon.session table; a completely idle system with no logged-in users may not be exploitable at the time of the attempt.
  • ·The default target URI for the Centreon application is /centreon; installations using a non-default path will require adjustment of detection rules.
  • ·The payload space is constrained to 1500 bytes, accounting for an 8192-byte maximum URI length; very large payloads may fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.