CVE-2022-39988 An XSS vulnerability in Centreon 22.04.0 allows attackers to execute arbitrary web script or HTML.

This update applies to S3-enabled websites using the Centreon 22.04.0 release. This cross-site scripting issue was reported to us by a security researcher. We have confirmed this XSS vulnerability, and have issued an update to fix it. In the latest version of Centreon (22.04.1), the Service>Templates service_alias parameter was not properly sanitised before being displayed to users. This allowed attackers to inject arbitrary web script or HTML into the Service>Templates service_alias parameter, and consequently inject arbitrary web script or HTML into S3-enabled websites using Centreon 22.04.0. Details of this XSS vulnerability are listed below. This update applies to S3-enabled websites using the Centreon 22.04.0 release. This cross-site scripting issue was reported to us by a security researcher. We have confirmed this XSS vulnerability, and have issued an update to fix it. In the latest version of Centreon (22.04.1), the Service>Templates service_alias parameter was not properly sanitised before being displayed to users. This allowed attackers to inject arbitrary web script or HTML into the Service>Templates service_alias parameter, and consequently inject arbitrary web script or HTML into S3-enabled websites using Centreon 22.04.0. Details of this XSS vulnerability are listed below. In order to exploit this XSS vulnerability, an attacker must be able to leverage either administrator

Introduction

Cross-site scripting vulnerabilities allow attackers to inject arbitrary web script or HTML into an unsuspecting website. This can be done by injecting content into a website using XSS attacks. If the vulnerability is not fixed, it can lead to a wide range of different exploits that could have been prevented.

The service_alias parameter is vulnerable to an XSS attack

The service_alias parameter is vulnerable to an XSS attack. Any web script or HTML that is injected into this parameter will be executed when the request reaches the appropriate server. This vulnerability has been confirmed in the following versions of Centreon:
- 22.04.0
- 22.04.1

Timeline

Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/06/2022 23:35:00 UTC

References

• http://packetstormsecurity.com/files/168585/Centreon-22.04.0-Cross-Site-Scripting.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39988