CVE-2019-15300

moderate-risk
Published 2019-11-27

A problem was found in Centreon Web through 19.04.3. An authenticated SQL injection is present in the page include/Administration/parameters/ldap/xml/ldap_host.php. The arId parameter is not properly filtered before being passed to the SQL query.

Do I need to act?

-
0.27% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Centreon

References (12)

Release Notes https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo...
Release Notes https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo...
Release Notes https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo...
Patch https://github.com/centreon/centreon/pull/8008
Patch https://github.com/centreon/centreon/pull/8009
Not Applicable https://www.certilience.fr/2019/08/CVE-2019-15300-vulnerabilit%C3%A9-centreon-sq...
Release Notes https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo...
Release Notes https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo...
Release Notes https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreo...
Patch https://github.com/centreon/centreon/pull/8008
Patch https://github.com/centreon/centreon/pull/8009
Not Applicable https://www.certilience.fr/2019/08/CVE-2019-15300-vulnerabilit%C3%A9-centreon-sq...
36
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal