PT-2015-5350 · Centreon · Centreon
Published
2015-07-14
·
Updated
2022-05-14
·
CVE-2015-1561
CVSS v3.1
8.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Centreon versions 2.5.4 and earlier
Description
The issue arises from an incorrect regular expression used in the
escape command function, located in the include/Administration/corePerformance/getStats.php file. This allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns id parameter.Recommendations
For Centreon versions 2.5.4 and earlier, update to Centreon 19.10.0 or later, where the offending file has been deleted, thus resolving the issue. As a temporary workaround, consider restricting access to the
getStats.php file to minimize the risk of exploitation. Avoid using the ns id parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Centreon