9.1
CVE-2024-55573
- EPSS 1.09%
- Veröffentlicht 23.01.2025 23:15:08
- Zuletzt bearbeitet 06.06.2025 15:32:04
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
An issue was discovered in Centreon centreon-web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23.04.24. A user with high privileges is able to inject SQL into the form used to create virtual metrics.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Centreon ≫ Centreon Web Version >= 23.04.0 < 23.04.24
Centreon ≫ Centreon Web Version >= 23.10.0 < 23.10.19
Centreon ≫ Centreon Web Version >= 24.04.0 < 24.04.9
Centreon ≫ Centreon Web Version >= 24.10.0 < 24.10.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.09% | 0.61 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| cve@mitre.org | 9.1 | 2.3 | 6 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://github.com/centreon/centreon/releases
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55573-centreon-web-critical-severity-4264