CVE-2015-1561

Опубликовано: 14 июл. 2015

Источник: nvd

CVSS2: 6.5

EPSS Низкий

Описание

The escape_command function in include/Administration/corePerformance/getStats.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (fixed in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ns_id parameter.

Ссылки

http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html
Exploit
http://www.securityfocus.com/archive/1/535961/100/0/threaded
https://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb
https://github.com/centreon/centreon/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a#diff-27550b563fa8d660b64bca871a219cb1
http://packetstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html
Exploit
http://www.securityfocus.com/archive/1/535961/100/0/threaded
https://forge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb
https://github.com/centreon/centreon/commit/a78c60aad6fd5af9b51a6d5de5d65560ea37a98a#diff-27550b563fa8d660b64bca871a219cb1

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:centreon:centreon:*:*:*:*:*:*:*:*

Версия до 2.5.4 (включая)

EPSS

Процентиль: 90%

0.05236

Низкий

6.5 Medium

CVSS2

Дефекты

CWE-77

Связанные уязвимости

GHSA-c4fj-3wqq-g9c9

CVSS3: 8.5

github

больше 3 лет назад

Centreon Command Injection