CVE-2019-15298

moderate-risk
Published 2019-11-27

A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. This allows one to inject Linux commands directly.

Do I need to act?

~
8.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Centreon

References (6)

Release Notes https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo...
Third Party Advisory https://github.com/centreon/centreon/pull/8023
Not Applicable https://www.certilience.fr/2019/08/CVE-2019-15298-vulnerabilit%C3%A9-centreon-co...
Release Notes https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo...
Third Party Advisory https://github.com/centreon/centreon/pull/8023
Not Applicable https://www.certilience.fr/2019/08/CVE-2019-15298-vulnerabilit%C3%A9-centreon-co...
45
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 10/34 · Low
Exposure 5/34 · Minimal