cbcvebase.
CVE-2014-3829
published 2014-10-23

CVE-2014-3829: displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allows remote attackers to execute arbitrary…

PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
81.00%
99.6th percentile
displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) session_id or (2) template_id parameter, related to the command_line variable.

Affected

2 ranges
VendorProductVersion rangeFixed in
merethiscentreon
merethiscentreon_enterprise_server

Detection & IOCsextracted from sources · hover to see the quote

path/centreon/include/views/graphs/graphStatus/displayServiceStatus.php
pathdisplayServiceStatus.php
commandsession_id=<id>' or 'a'='a
commandtemplate_id=' UNION ALL SELECT 1,2,3,4,5,CHAR(59,<payload>59),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 -- /**
  • Detect GET requests to displayServiceStatus.php with SQL injection patterns in session_id or template_id parameters, particularly single-quote characters and OR/UNION SQL keywords.
  • Alert on HTTP responses containing the string 'sh: graph: command not found' or 'sh: --imgformat: command not found', which indicate successful command injection via displayServiceStatus.php.
  • Monitor for UNION-based SQL injection payloads in the template_id parameter of displayServiceStatus.php, specifically patterns matching UNION ALL SELECT with CHAR() encoding.
  • The exploit requires no authentication — flag unauthenticated GET requests to displayServiceStatus.php that contain SQL metacharacters (single quotes, UNION, OR) in session_id or template_id.
  • The exploit abuses the centreon.session table via SQLi to hijack a valid session; monitor for unexpected or anomalous rows/queries against centreon.session from web process accounts.
  • ·The exploit chains CVE-2014-3828 (SQL injection) with CVE-2014-3829 (command injection); both CVEs must be considered together for full exploit coverage.
  • ·The vulnerability is fixed in Centreon web 2.5.3; detections should focus on Centreon 2.5.1 and prior, and Centreon Enterprise Server 2.2 and prior.
  • ·The SQLi check phase may return 'Detected' (not 'Vulnerable') if the centreon.session table is empty, meaning exploitation will fail even on a vulnerable host until a legitimate user logs in.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.