CVE-2015-1561

Centreon <2.5.4 - Command Injection

Title source: llm

Description

The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter.

Exploits (1)

exploitdb WRITEUP

by Huy-Ngoc DAU · textwebappsphp

https://www.exploit-db.com/exploits/37528

View Code ZIP pw:eip

References (4)

[Exploit] http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html

[Various Sources] https://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb

[Patch] https://github.com/centreon/centreon/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a#diff-27550b563fa8d660b64bca871a219cb1

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/535961/100/0/threaded

Scores

EPSS 0.0524

EPSS Percentile 90.0%

Details

CWE

CWE-77

Status published

Products (2)

centreon/centreon < 2.5.4

centreon/centreon 0 - 2.8.28Packagist

Published Jul 14, 2015

Tracked Since Feb 18, 2026