Lucene search

GitHub Advisory DatabaseGHSA-RV5Q-72P2-2Q24

HistorySep 27, 2022 - 12:00 a.m.

Centreon contains cross-site scripting vulnerability via esc_name parameter

2022-09-2700:00:20

CWE-79

GitHub Advisory Database

github.com

centreon

cross-site scripting

v20.10.18

escalation name

configuration

notifications

escalations

vulnerability

web scripts

html

crafted payload

patches

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.4%

JSON

Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. Versions 21.04.16, 21.10.8, and 22.04.2 contain patches.

Affected configurations

Vulners

Node

centreoncentreonRange<22.04.1

centreoncentreonRange<21.10.8

centreoncentreonRange<21.04.16

CPENameOperatorVersion
centreon/centreonlt22.04.1
centreon/centreonlt21.10.8
centreon/centreonlt21.04.16

Name	Operator	Version
centreon/centreon	lt	22.04.1
centreon/centreon	lt	21.10.8
centreon/centreon	lt	21.04.16

References

github.com/advisories/GHSA-rv5q-72p2-2q24

github.com/centreon/centreon/commit/1a6ee0e9a003ac4f07dc8c370aec6e8911279358

github.com/centreon/centreon/commit/76fdfba312515656419a1311a83adfb11a73199f

github.com/centreon/centreon/commit/cee5d3b0b0077182dfced5fb1d216a4ac168c05f

github.com/centreon/centreon/releases

nvd.nist.gov/vuln/detail/CVE-2022-40044

www.hakaioffensivesecurity.com/centreon-sqli-and-xss-vulnerability/