cbcvebase.

Centreon Web vulnerabilities

57 known vulnerabilities affecting centreon/centreon_web.

Total CVEs
57
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH27MEDIUM22

Vulnerabilities

Page 2 of 3
CVE-2023-51633P3CRITICALCVSS 9.6fixed in 22.10.15≥ 23.04.0, < 23.04.10+1 more2024-05-03
CVE-2023-51633 [CRITICAL] CWE-79 CVE-2023-51633: Centreon sysName Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows Centreon sysName Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. User interaction is required to exploit this vulnerability. The specific flaw exists within the processing of the sysName OID in SNMP. The issue results from the lack
nvd
CVE-2024-39841P3HIGHCVSS 8.8≥ 22.10.0, < 22.10.23≥ 23.04.0, < 23.04.19+2 more2024-08-23
CVE-2024-39841 [HIGH] CWE-89 CVE-2024-39841: A SQL Injection vulnerability exists in the service configuration functionality in Centreon Web 24.0 A SQL Injection vulnerability exists in the service configuration functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.
nvd
CVE-2019-17107P3HIGHCVSS 8.8≥ 2.8, < 2.8.27≥ 18.10.0, < 18.10.42019-10-08
CVE-2019-17107 [HIGH] CVE-2019-17107: minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect.
nvd
CVE-2018-21023P3HIGHCVSS 8.8≥ 2.8, < 2.8.28≥ 18.10.0, < 18.10.52019-10-08
CVE-2018-21023 [HIGH] CWE-94 CVE-2018-21023: getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.
nvd
CVE-2019-15300P3HIGHCVSS 8.8≥ 2.8.1, < 2.8.30≥ 19.04.0, < 19.04.5+1 more2019-11-27
CVE-2019-15300 [HIGH] CWE-89 CVE-2019-15300: A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in th A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query.
nvd
CVE-2019-15299P3HIGHCVSS 8.8≤ 19.04.32020-02-24
CVE-2019-15299 [HIGH] CWE-287 CVE-2019-15299: An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his pro An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autologin_key field in the database becomes blank when it should be NULL. This makes it possible to partially bypass authentication.
nvd
CVE-2018-11589P3CRITICALCVSS 9.8v2.8.232018-06-25
CVE-2018-11589 [CRITICAL] CWE-89 CVE-2018-11589: Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php.
nvd
CVE-2018-21022P3HIGHCVSS 8.8fixed in 2.8.282019-10-08
CVE-2018-21022 [HIGH] CWE-89 CVE-2018-21022: makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections vi makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter.
nvd
CVE-2018-21021P3HIGHCVSS 8.8fixed in 2.8.272019-10-08
CVE-2018-21021 [HIGH] CWE-89 CVE-2018-21021: img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_ img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter.
nvd
CVE-2025-4650P3HIGHCVSS 7.2≥ 23.10.0, < 23.10.26≥ 24.04.0, < 24.04.16+1 more2025-08-22
CVE-2025-4650 [HIGH] CWE-89 CVE-2025-4650: User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26.
nvd
CVE-2025-3872P3HIGHCVSS 7.2≥ 22.10.0, < 22.10.28≥ 23.04.0, < 23.04.25+3 more2025-04-24
CVE-2025-3872 [HIGH] CWE-89 CVE-2025-3872: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection. A user with high privileges is able to become administrator by intercepting the contact form request and altering its payload. This issue affects Centreon: from 22.10.0 bef
nvd
CVE-2018-21020P3HIGHCVSS 7.5fixed in 2.8.272019-10-08
CVE-2018-21020 [HIGH] CWE-20 CVE-2018-21020: In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web befo In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to bypass authentication mechanisms in place.
nvd
CVE-2025-4646P3HIGHCVSS 7.2≥ 24.04.0, < 24.04.10≥ 24.10.0, < 24.10.42025-05-13
CVE-2025-4646 [HIGH] CWE-863 CVE-2025-4646: Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privi Incorrect Authorization vulnerability in Centreon web (API Token creation form modules) allows Privilege Escalation.This issue affects web: from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.
nvd
CVE-2024-53923P3HIGHCVSS 7.2≥ 23.04.0, < 23.04.24≥ 23.10.0, < 23.10.19+2 more2025-01-23
CVE-2024-53923 [HIGH] CWE-89 CVE-2024-53923: An issue was discovered in Centreon Web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x befo An issue was discovered in Centreon Web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23.04.24. A user with high privileges is able to achieve SQL injection in the form to upload media.
nvd
CVE-2024-55573P3HIGHCVSS 7.2≥ 23.04.0, < 23.04.24≥ 23.10.0, < 23.10.19+2 more2025-01-23
CVE-2024-55573 [HIGH] CWE-89 CVE-2024-55573: An issue was discovered in Centreon centreon-web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23. An issue was discovered in Centreon centreon-web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23.04.24. A user with high privileges is able to inject SQL into the form used to create virtual metrics.
nvd
CVE-2019-16406P3HIGHCVSS 7.8v19.04.42019-11-21
CVE-2019-16406 [HIGH] CWE-732 CVE-2019-16406: Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka V Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.
nvd
CVE-2021-26804P3MEDIUMCVSS 6.5v19.10.18v20.04.8+1 more2021-05-04
CVE-2021-26804 [MEDIUM] CWE-276 CVE-2021-26804: Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers Insecure Permissions in Centreon Web versions 19.10.18, 20.04.8, and 20.10.2 allows remote attackers to bypass validation by changing any file extension to ".gif", then uploading it in the "Administration/ Parameters/ Images" section of the application.
nvd
CVE-2019-17106P4MEDIUMCVSS 6.5≤ 2.8.292019-10-08
CVE-2019-17106 [MEDIUM] CWE-312 CVE-2019-17106: In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated at In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components.
nvd
CVE-2025-12519P4MEDIUMCVSS 5.3≥ 24.04.0, < 24.04.19≥ 24.10.0, < 24.10.15+1 more2026-01-05
CVE-2025-12519 [MEDIUM] CWE-862 CVE-2025-12519: Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endp Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 2
nvd
CVE-2025-8459P4MEDIUMCVSS 5.4≥ 23.10.0, < 23.10.28≥ 24.04.0, < 24.04.18+1 more2025-10-14
CVE-2025-8459 [MEDIUM] CWE-79 CVE-2025-8459: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Monitoring recurrent downtime scheduler modules) allows Stored XSS.This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.
nvd
Centreon Web vulnerabilities | cvebase