Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability. The vulnerability is found within the menuXML.php file inside the 'menu' parameter. It was reported that by injecting a payload after the menu parameter, for example ' AND SLEEP(5) AND 'meHL'='meHL, the web application hung for 5 seconds.
A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.
Thanks to Tom Gregory of Spentera for reporting this vulnerability.
This document was written by Michael Orlando.
|Date First Published:||2012-12-12|
|Date Last Updated:||2012-12-12 12:37 UTC|