search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Centreon 2.3.3 through 2.3.9-4 blind sqli injection vulnerability.

Vulnerability Note VU#856892

Original Release Date: 2012-12-12 | Last Revised: 2012-12-12


Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability.


CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability. The vulnerability is found within the menuXML.php file inside the 'menu' parameter. It was reported that by injecting a payload after the menu parameter, for example '  AND SLEEP(5) AND 'meHL'='meHL, the web application hung for 5 seconds.


A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.



The vendor has stated that this vulnerability has been addressed in Centreon 2.4.0. Users are advised to update to Centreon 2.4.0 or newer.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information


Centreon Affected

Notified:  November 09, 2012 Updated: December 07, 2012



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal 4.8 E:U/RL:U/RC:UC
Environmental 1.3 CDP:L/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Tom Gregory of Spentera for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-5967
Date Public: 2012-12-12
Date First Published: 2012-12-12
Date Last Updated: 2012-12-12 12:37 UTC
Document Revision: 10

Sponsored by CISA.