CVE-2014-3828

Name of the Vulnerable Software and Affected Versions Centreon versions 2.5.1 through 2.5.2 Centreon Enterprise Server version 2.2

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the index id parameter to "views/graphs/common/makeXML ListMetrics.php", the sid parameter to "views/graphs/GetXmlTree.php", the session id parameter to "views/graphs/graphStatus/displayServiceStatus.php", the mnftr id parameter to "configuration/configObject/traps/GetXMLTrapsForVendor.php", or the index parameter to "common/javascript/commandGetArgs/cmdGetExample.php" in include/.

Recommendations For Centreon versions 2.5.1 through 2.5.2, update to Centreon web 2.5.3. For Centreon Enterprise Server version 2.2, update to a version that includes the fix, as the specific fixed version is not provided in the input data. As a temporary workaround, consider restricting access to the vulnerable API endpoints and parameters, such as index id, sid, session id, mnftr id, and index, until a patch is available.