CVE-2014-3829

Merethis Centreon - Code Injection

Title source: rule

Description

displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 (fixed in Centreon web 2.5.3) allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) session_id or (2) template_id parameter, related to the command_line variable.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubywebappslinux

https://www.exploit-db.com/exploits/41676

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by MaZ, juan vazquez · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/centreon_sqli_exec.rb

View Code ZIP pw:eip

References (4)

[Exploit] http://seclists.org/fulldisclosure/2014/Oct/78

[Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/298796

[Various Sources] https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.5/centreon-2.5.3.html

[Patch] https://github.com/centreon/centreon/commit/cc2109804dd69057cb209037113796ec5ffdce90#diff-e328097503b14fbb117e0db798aefcde

Scores

EPSS 0.8620

EPSS Percentile 99.4%

Details

CWE

CWE-94

Status published

Products (2)

merethis/centreon 2.5.1

merethis/centreon_enterprise_server 2.2

Published Oct 23, 2014

Tracked Since Feb 18, 2026