CVE-2019-13024

Name of the Vulnerable Software and Affected Versions Centreon versions 18.x through 18.10.5 Centreon versions 19.x through 19.04.2 Centreon web versions prior to 2.8.29

Description The issue allows an attacker to execute arbitrary system commands. This is achieved by using the value init script in "Monitoring Engine Binary" in main.get.php to insert an arbitrary command into the database. The command is then executed by calling the vulnerable page "www/include/configuration/configGenerate/xml/generateFiles.php", which passes the inserted value to the database to shell exec without sanitizing it, thus allowing the execution of arbitrary system commands.

Recommendations For Centreon versions 18.x through 18.10.5, update to version 18.10.6 or later. For Centreon versions 19.x through 19.04.2, update to version 19.04.3 or later. For Centreon web versions prior to 2.8.29, update to version 2.8.29 or later.