Published: 2019-11-29 | Updated: 2019-11-29
Severity
High
Patch available
YES
Number of vulnerabilities
2
CVE ID
CVE-2019-15300CVE-2019-16195
CWE ID
CWE-89CWE-79
Exploitation vector
Network
Public exploit
N/A
Vulnerable software
Centreon Subscribe
Vendor
Centreon
Security Advisory
1) SQL injection
Severity: High
CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]
CVE-ID: CVE-2019-15300
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "arld" parameter in the "/centreon/include/Administration/parameters/ldap/xml/ldap_host.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Centreon: 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.8.13, 2.8.14, 2.8.15, 2.8.16, 2.8.17, 2.8.18, 2.8.19, 2.8.20, 2.8.21, 2.8.22, 2.8.23, 2.8.24, 2.8.25, 2.8.26, 2.8.27, 2.8.28, 2.8.29, 19.04.0, 19.04.1, 19.04.2, 19.04.3, 19.04.4, 19.10.0, 19.10.1
CPE
External links
