CVE-2018-11589

Name of the Vulnerable Software and Affected Versions Centreon version 3.4.6 Centreon Web version 2.8.23

Description The issue allows for SQL injection attacks through various parameters in different PHP files. Specifically, attacks can be launched via the searchU parameter in "viewLogs.php", the id parameter in "GetXmlHost.php", the chartId parameter in "ExportCSVServiceData.php", the searchCurve parameter in "listComponentTemplates.php", or the host id parameter in "makeXML ListMetrics.php".

Recommendations For Centreon version 3.4.6, avoid using the searchU parameter in "viewLogs.php", the id parameter in "GetXmlHost.php", the chartId parameter in "ExportCSVServiceData.php", the searchCurve parameter in "listComponentTemplates.php", or the host id parameter in "makeXML ListMetrics.php" until a patch is available. For Centreon Web version 2.8.23, consider restricting access to the aforementioned PHP files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.