Security fixed in Centreon Web

Submission: June 21, 2024

Publication date: September 17, 2024

Severity: HIGH

Feature: Edition of contacts / users

Component: centreon-web

Fixes have been provided for all supported versions and it is recommended to update Centreon Web:

• Centreon Web 24.04.6
• Centreon Web 23.10.16
• Centreon Web 23.04.21
• Centreon Web 22.10.24

These versions include cumulative fixes from prior updates.

CVE-2024-39842 - SQLi in contacts form, only accessible to authenticated users with high privilege access.

Reporter: Trend Micro

Impact:  (CVSS + Path)  7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 

Description: A SQL injection vulnerability in Centreon 24.04.2 allows a remote high-privileged attacker to execute arbitrary SQL command via user massive changes inputs.

Reference: CVE-2024-39842

CVE-2024-39843 - SQLi in contacts form, only accessible to authenticated users with high privilege access.

Reporter: Trend Micro

Impact:  (CVSS + Path)  7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 

Description: A SQL injection vulnerability in Centreon 24.04.2 allows a remote high-privileged attacker to execute arbitrary SQL command via create user form inputs.

Reference: CVE-2024-39843