Spawnzii

**Name of the Vulnerable Software and Affected Versions** Centreon Infra Monitoring versions 23.10.0 through 23.10.26 Centreon Infra Monitoring versions 24.04.0 through 24.04.16 Centreon Infra Monitoring versions 24.10.0 through 24.10.9 **Description** The software contains an Improper Neutralization of Input During Web Page Generation issue, specifically a Stored Cross-site Scripting (XSS) condition. This allows users with elevated privileges to inject malicious scripts. The issue is located within the Services Meta-services modules. **Recommendations** Update Centreon Infra Monitoring to version 23.10.27 or later. Update Centreon Infra Monitoring to version 24.04.17 or later. Update Centreon Infra Monitoring to version 24.10.10 or later.

**Name of the Vulnerable Software and Affected Versions** Centreon Infra Monitoring versions 24.10.0 through 24.10.12 Centreon Infra Monitoring versions 24.04.0 through 24.04.17 Centreon Infra Monitoring versions 23.10.0 through 23.10.27 **Description** A flaw exists in Centreon Infra Monitoring related to improper input neutralization during web page generation, leading to a Stored Cross-site Scripting (XSS) condition. This issue is present in the HTTP Loader widget modules. Successful exploitation could allow an attacker to inject malicious scripts into web pages viewed by other users. **Recommendations** Update Centreon Infra Monitoring to version 24.10.13 or later. Update Centreon Infra Monitoring to version 24.04.18 or later. Update Centreon Infra Monitoring to version 23.10.28 or later.

Name of the Vulnerable Software and Affected Versions: web versions 23.10.0 through 23.10.26 web versions 24.04.0 through 24.04.16 web versions 24.10.0 through 24.10.9 Description: A user with high privileges can inject SQL commands through the Meta Service indicator page due to improper neutralization of special elements within an SQL query. Recommendations: Update web to a version after 23.10.26. Update web to a version after 24.04.16. Update web to a version after 24.10.9.

Name of the Vulnerable Software and Affected Versions: Centreon web versions 23.10.0 through 23.10.26 Centreon web versions 24.04.0 through 24.04.16 Centreon web versions 24.10.0 through 24.10.9 Description: The web application is susceptible to SQL Injection due to improper neutralization of special elements used in an SQL command within the Monitoring event logs module. An authenticated, low-privileged attacker can manipulate the database by altering HTTP requests to insert a payload. Recommendations: Centreon web versions prior to 23.10.26 should be updated. Centreon web versions prior to 24.04.16 should be updated. Centreon web versions prior to 24.10.9 should be updated.

**Name of the Vulnerable Software and Affected Versions** Centreon Web versions 23.04.x through 23.04.23 Centreon Web versions 23.10.x through 23.10.18 Centreon Web versions 24.04.x through 24.04.8 Centreon Web versions 24.10.x through 24.10.2 **Description** A user with high privileges is able to achieve SQL injection in the form to upload media. This issue allows attackers with high privileges to exploit the media upload form by potentially injecting malicious SQL code. **Recommendations** Centreon Web version 23.04.x: Update to version 23.04.24 or later. Centreon Web version 23.10.x: Update to version 23.10.19 or later. Centreon Web version 24.04.x: Update to version 24.04.9 or later. Centreon Web version 24.10.x: Update to version 24.10.3 or later.

**Name of the Vulnerable Software and Affected Versions** Centreon centreon-web versions 24.10.x prior to 24.10.3 Centreon centreon-web versions 24.04.x prior to 24.04.9 Centreon centreon-web versions 23.10.x prior to 23.10.19 Centreon centreon-web versions 23.04.x prior to 23.04.24 **Description** A user with high privileges is able to inject SQL into the form used to create virtual metrics. This issue allows an attacker with high privileges to perform SQL injection, potentially enabling privilege escalation. **Recommendations** For Centreon centreon-web version 24.10.x prior to 24.10.3, update to version 24.10.3 or later. For Centreon centreon-web version 24.04.x prior to 24.04.9, update to version 24.04.9 or later. For Centreon centreon-web version 23.10.x prior to 23.10.19, update to version 23.10.19 or later. For Centreon centreon-web version 23.04.x prior to 23.04.24, update to version 23.04.24 or later. As a temporary workaround, consider restricting access to the form used to create virtual metrics until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** grist-core versions prior to 1.3.2 **Description** The issue arises when a user visits a malicious document and clicks on a link in a HyperLink cell using a control modifier, such as Ctrl+click. This could lead to account compromise, as the link could use the javascript: scheme and be evaluated in the context of their current page. **Recommendations** For versions prior to 1.3.2, upgrade to version 1.3.2 or later to resolve the issue. As a temporary workaround for users unable to upgrade, avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust.

**Name of the Vulnerable Software and Affected Versions** grist-core versions prior to 1.3.1 **Description** A user visiting a malicious document or submitting a malicious form could have their account compromised due to the ability to use the `javascript:` scheme with custom widget URLs and form redirect URLs. **Recommendations** For versions prior to 1.3.1, upgrade to version 1.3.1 to resolve the issue. As a temporary workaround for users unable to upgrade, avoid visiting documents or forms prepared by people they do not trust.

**Name of the Vulnerable Software and Affected Versions** SPIP versions 3.1.13 through 4.1.2 **Description** The issue allows remote authenticated users to execute arbitrary code via the ` oups` parameter. This enables attackers to perform remote code execution (RCE) on affected systems. **Recommendations** For SPIP versions 3.1.13 through 4.1.2, consider restricting access to the ` oups` parameter to minimize the risk of exploitation until a patch is available.