PT-2025-3131 · Centreon · Centreon Web
Spawnzii
·
Published
2025-01-03
·
Updated
2025-06-06
·
CVE-2024-55573
CVSS v3.1
9.1
Critical
| Vector | AC:L/AV:N/A:H/C:H/I:H/PR:H/S:C/UI:N |
Name of the Vulnerable Software and Affected Versions
Centreon centreon-web versions 24.10.x prior to 24.10.3
Centreon centreon-web versions 24.04.x prior to 24.04.9
Centreon centreon-web versions 23.10.x prior to 23.10.19
Centreon centreon-web versions 23.04.x prior to 23.04.24
Description
A user with high privileges is able to inject SQL into the form used to create virtual metrics. This issue allows an attacker with high privileges to perform SQL injection, potentially enabling privilege escalation.
Recommendations
For Centreon centreon-web version 24.10.x prior to 24.10.3, update to version 24.10.3 or later.
For Centreon centreon-web version 24.04.x prior to 24.04.9, update to version 24.04.9 or later.
For Centreon centreon-web version 23.10.x prior to 23.10.19, update to version 23.10.19 or later.
For Centreon centreon-web version 23.04.x prior to 23.04.24, update to version 23.04.24 or later.
As a temporary workaround, consider restricting access to the form used to create virtual metrics until a patch is applied.
Fix
LPE
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Centreon Web