CVE-2019-15298

Name of the Vulnerable Software and Affected Versions Centreon Web versions through 19.04.3

Description A problem was found in Centreon Web, where an authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface, specifically in the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly, allowing one to inject Linux commands directly.

Recommendations For Centreon Web versions through 19.04.3, as a temporary workaround, consider restricting access to the vulnerable page include/configuration/configObject/traps-mibs/formMibs.php until a patch is available. Avoid using the mnftr parameter in the affected form until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.