Security Bulletins

Publication date: October 30th, 2025Components: centreon-bi-serverDescription: CentreonBI user account on the MBI server can execute commands as root by modifying script runned by the CRON.Reference: CVE-2025-8432CVSS: 8.4 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon MBI on Central Server:Centreon MBI 24.10.6 Centreon MBI 24.04.9 Centreon MBI 23.10.15These versions include cumulative fixes from prior updates  Reporter: SpawnZii - PGM12268-13 Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: October 30th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Meta-Service configuration page.Reference: CVE-2025-10023CVSS: 6.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N/E:F/RL:U/RC:C)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.9 Centreon Web 24.04.16 Centreon Web 23.10.26These versions include cumulative fixes from prior updates.If you are using an High Availability Platform, please ensure to follow the Centreon HA Update procedures. Reporter: SpawnZii - PGM12268-13 Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the SNMP traps manufacturer configuration page.Reference: CVE-2025-54889CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: Marcelo QueirozStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the ACL Resources access configuration page.Reference: CVE-2025-54891CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: Marcelo QueirozStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the SNMP Traps group configuration page.Reference: CVE-2025-54892CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: Marcelo QueirozStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the Hosts templates configuration page.Reference: CVE-2025-54893CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: Marcelo QueirozStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: A user with low privileges can inject XSS in the Monitoring Recurrent downtimes page.Reference: CVE-2025-8459CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: Marcelo QueirozStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: A user with low privileges can inject XSS in the Monitoring Recurrent downtimes page.Reference: CVE-2025-8430CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: Marcelo QueirozStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: A user with elevated privileges can inject XSS in the ACL Action access configuration pageReference: CVE-2025-8429CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: Marcelo QueirozStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription:select2 is a jQuery-based replacement for select boxes. It supports searching, remote data sets, and pagination of results.Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to missing sanitization when HTML templates are used to display remotely-loaded data.Reference: CVE-2016-10744CVSS: 6.1Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates. Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: RCE via the poller reload feature available only to user with high privilege.Reference: CVE-2025-5946CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: h00die-gr3y using YesWeHackStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

 Publication date: September 24th, 2025Components: centreon-webDescription: A user with minimal rights (monitoring) can inject a JavaScript payload into a custom view in order to spoof an administrator or supervisor's session.Reference: CVE-2025-8428CVSS: 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N/E:F/RL:U/RC:C)Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: SpawnZii - PGM12268-17Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: September 24th, 2025Components: centreon-webDescription: upgraded jquery select2 to version 4.0.8Reference: linkCVSS: 4Severity: Medium Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.13 Centreon Web 24.04.18 Centreon Web 23.10.28These versions include cumulative fixes from prior updates.Reporter: N/AStay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: August 25th, 2025Components: centreon-webDescription: No password confirmation is requested when changing password from the user profile or user management page for local authentication.Reference: N/ACVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:Centreon Web 24.10.11 Centreon Web 24.04.17 Centreon Web 23.10.27These versions include cumulative fixes from prior updates. Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

Publication date: August 11th, 2025Components: centreon-gorgoneDescription: Command whitelist is too permissive for auto-discovery and could be exploited by a user with priviledges on the Centreon UI to remotely control a target.Reference: N/ACVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)Severity: Critical Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Gorgone and add parameter "no_shell_interpretation" to Gorgone configuration as documented on Centreon Central server:Centreon Gorgone 24.10.7 Centreon Gorgone 24.04.10 Centreon Gorgone 23.10.14These versions include cumulative fixes from prior updates. Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.    

Publication date: August 7th, 2025Components: centreon-license-managerDescription: The DOMPurify dependency is vulnerable to Prototype Pollution. The vulnerability is due to insufficient sanitization, allowing attackers to manipulate the prototype of JavaScript objects, potentially leading to unexpected behavior or security issues.Reference:N/ACVSS: 8.6 Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon License Manager on Centreon Central server:Centreon License Manager 24.10.3 Centreon License Manager 24.04.5 Centreon License Manager 23.10.6These versions include cumulative fixes from prior updates. Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.  

 Publication date: August 7th, 2025Components: centreon-webDescription: User with high privileges is able to introduce a SQLi using the Meta Service indicator pageReference: CVE-2025-4650CVSS: 7.2 Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web Centreon Central server:Centreon 24.10.9 Centreon 24.04.16 Centreon 23.10.26These versions include cumulative fixes from prior updates. Reporter: SpawnZii for YesWeHackSubmission: March 26, 2025 Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date. 

Publication date: August 7th, 2025Components: centreon-webDescription: Second-order SQL injection detected in event logs, exploitable via a low-privileged user.Reference: CVE-2025-6791CVSS: 8.6 Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web Centreon Central server:Centreon 24.10.9 Centreon 24.04.16 Centreon 23.10.26These versions include cumulative fixes from prior updates. Reporter: SpawnZii for YesWeHackSubmission: June 22, 2025 Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date. 

Publication date: August 7th, 2025Components: centreon-webDescription: Configuration forms and associated scripts have fields that are not protected against badly formatted parameters:Notification escalation pages Contact templates Host category Host configurationReference:N/ACVSS: 7.2 Severity: High Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web Centreon Central server:Centreon 24.10.9 Centreon 24.04.16 Centreon 23.10.26These versions include cumulative fixes from prior updates. Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date. 

Publication date: June 24, 2025Components: centreon-map-engine or centreon-map-legacy (on map server) Description: Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was

Publication date: June 10, 2025Component: centreon-bi-engineFeature: CBIS Engine Description:Apache derby has been upgrade to the 10.17.1.0 on the 24.04, 24.10 and develop branches in January 2024.But this was not not the case on the 23.10 and 23.04 version. Reference: CVE-2022-46337CVSS:  9.8Severity: CRITICAL Status: Fixes have been provided for all supported versions and it is recommended to update Centreon MBI server:Centreon MBI Engine 23.10.12 Centreon MBI Engine 23.04.23These versions include cumulative fixes from prior updates. Reporter: N/ASubmission: April 09, 2025Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.

Publication date: March 14, 2025Component: centreon-webFeature:Event logs page Description: ACL are not correctly taken into account in the display of the "event logs" page. This page requiring, high privileges, will display all available logs. Reference: CVE-2025-4649CVSS:  4.9 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Severity: MEDIUM Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Central:Centreon 24.10.4 Centreon 24.04.10 Centreon 23.10.21 Centreon 23.04.26These versions include cumulative fixes from prior updates. Reporter: Benoit PouletSubmission: Feb 03, 2025Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.

Publication date: May 12, 2025Components: centreon-web, centreon-open-tickets & centreon-mbi-server.Feature: Open Tickets and Reporting (MBI) Update: Last March, we published a security bulletin advising you to update your Centreon central server. However, we did not make all module packages available. If you are using Centreon version 23.04.x ​​or 23.10.x, and if you use the ticket creation (Open Tickets) or reports generation (Centreon MBI) features, you must update your Centreon central server as well as these modules. Description: Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Upgrade to either version 3.1.48.1 Reference: CVE-2024-

Publication date: March 12, 2025Update: May, 12, 2025Components: centreon-web and all modules.Feature: All legacy pages Description: Smarty is a template engine for PHP. In affected versions smarty did not properly escape javascript code. An attacker could exploit this vulnerability to execute arbitrary JavaScript code in the context of the user's browser session. This may lead to unauthorized access to sensitive user data, manipulation of the web application's behavior, or unauthorized actions performed on behalf of the user. Upgrade to either version 3.1.48.1 Reference: CVE-2024-55573CVSS:  7.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Severity: HIGH Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Central, Centreon Map and Centreon MBI servers:Centreon 23.10.x (centreon-web-23.10.22 and modules). Centreon 23.04.x (centreon-web-23.04.27 and modules)These versions include cumulative fixes from prior updates.Centreon 24.10.x and

  Publication date: Mai 12, 2025Component: centreon-map-engine On Centreon Map server.Feature: Graphical views (maps) Description: Upgraded spring security web dependency to version 6.2.8. Reference: N/ACVSS:  9.1Severity: CRITICAL Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Map server:Centreon Map 24.10.5 Centreon Map 24.04.11 Centreon Map 23.10.19 Centreon Map 23.04.23These versions include cumulative fixes from prior updates. Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.