Detections
Analytics

Centreon < 2.5.4 Multiple Vulnerabilities

high Nessus Plugin ID 80357

Language:

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

According to its version number, the Centreon application hosted on the remote web server is affected by multiple vulnerabilities :

 - A SQL injection vulnerability exists in the centreonLog.class.php script due to improper sanitization of user-supplied input to the 'username' parameter. A remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the manipulation or disclosure of arbitrary data.

 - An information disclosure vulnerability exists that allows allows a local attacker to gain access to information in configuration files.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Centreon 2.5.4 or later.

See Also

https://seclists.org/oss-sec/2014/q4/848

http://www.nessus.org/u?226939f7

http://www.nessus.org/u?256de898

http://www.nessus.org/u?30e00b4b

Plugin Details

Severity: High

ID: 80357

File Name: centreon_254.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 1/5/2015

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:centreon:centreon, cpe:/a:merethis:centreon, cpe:/a:merethis:centreon_enterprise_server

Required KB Items: www/PHP, Settings/ParanoidReport, installed_sw/Centreon

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/27/2014

Vulnerability Publication Date: 11/27/2014

Reference Information

BID: 71333