Vulnerability Description
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Merethis | Centreon | 2.5.1 |
| Merethis | Centreon Enterprise Server | 2.2 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2014/Oct/78Exploit
- http://www.kb.cert.org/vuls/id/298796Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/70648Exploit
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo
- https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffd
- http://seclists.org/fulldisclosure/2014/Oct/78Exploit
- http://www.kb.cert.org/vuls/id/298796Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/70648Exploit
- https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo
- https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffd
FAQ
What is CVE-2014-3828?
CVE-2014-3828 is a vulnerability with a CVSS score of 10.0 (HIGH). Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id ...
How severe is CVE-2014-3828?
CVE-2014-3828 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3828?
Check the references section above for vendor advisories and patch information. Affected products include: Merethis Centreon, Merethis Centreon Enterprise Server.