Publication date: May 12, 2025

Components: centreon-web, centreon-open-tickets & centreon-mbi-server.

Feature: Open Tickets and Reporting (MBI)

Description: Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Upgrade to either version 3.1.48.1

Reference: CVE-2024-55573

CVSS:  7.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L 

Severity: HIGH

Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Central server:

• Centreon 23.10.x (centreon-open-tickets-23.10.3 & centreon-mbi-server-23.10.22)
• Centreon 23.04.x (centreon-open-tickets-23.04.6 & centreon-mbi-server-23.04.23)

Important note: to ensure you do not lose any customization that might have been done to your OpenTicket provider, please make sure to:

• Take a backup of these folders: /usr/share/centreon/www/modules/centreon-open-tickets and /usr/share/centreon/www/widgets/open-tickets
• Apply the patch
• Copy the backed up register.php file(s) to /usr/share/centreon/www/modules/centreon-open-tickets/providers/

Please contact your Customer Success Manager or Technical Support if you need additional instructions before you apply the patch.

These versions include cumulative fixes from prior updates.