Vulnerability Details : CVE-2014-3828
Public exploit exists!
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/.
Vulnerability category: Sql Injection
Products affected by CVE-2014-3828
- cpe:2.3:a:merethis:centreon:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:merethis:centreon_enterprise_server:2.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3828
89.75%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2014-3828
-
Centreon SQL and Command Injection
Disclosure Date: 2014-10-15First seen: 2020-04-26exploit/linux/http/centreon_sqli_execThis module exploits several vulnerabilities on Centreon 2.5.1 and prior and Centreon Enterprise Server 2.2 and prior. Due to a combination of SQL injection and command injection in the displayServiceStatus.php component, it is possible to execute arbitrary commands
CVSS scores for CVE-2014-3828
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2014-3828
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3828
-
http://www.kb.cert.org/vuls/id/298796
VU#298796 - Centreon contains multiple vulnerabilitiesThird Party Advisory;US Government Resource
-
https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde
fix #5895 : security issues · centreon/centreon@cc21098 · GitHub
-
http://www.securityfocus.com/bid/70648
Centreon and Centreon Enterprise Server CVE-2014-3828 Multiple SQL Injection VulnerabilitiesExploit
-
https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.html
Centreon 2.5.3 — Centreon 19.10 documentation
-
http://seclists.org/fulldisclosure/2014/Oct/78
Full Disclosure: Multiple unauthenticated SQL injections and unauthenticated remote command injection in Centreon <= 2.5.2 and Centreon Enterprise Server <= 2.2|3.0Exploit
Jump to