CVE-2018-11589
Description
Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple SQL injection flaws in Centreon 3.4.6 and Centreon Web 2.8.23 allow remote unauthenticated attackers to extract sensitive data.
Vulnerability
Multiple SQL injection vulnerabilities exist in Centreon 3.4.6, including Centreon Web 2.8.23. Injection occurs via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, and the host_id parameter in makeXML_ListMetrics.php [1]. No authentication or special configuration is required to reach the affected code paths.
Exploitation
An attacker can send crafted HTTP GET or POST requests to any of the vulnerable endpoints, supplying malicious SQL in the respective parameter. The only requirement is network access to the Centreon web interface [1]. No prior authentication or user interaction is needed.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands against the Centreon database. This can result in unauthorized disclosure of sensitive data, including user credentials, configuration details, and monitoring information [1]. The attacker gains read access to the full database contents but does not directly achieve remote code execution or file modification on the server.
Mitigation
Centreon patched these vulnerabilities in a later release, but the specific fixed version is not disclosed in the provided references [1]. Organizations should upgrade to the latest Centreon version. As a workaround, restrict network access to the Centreon web interface and validate or sanitize the affected input parameters in a Web Application Firewall (WAF). No known exploitation in the wild (KEV) listing exists at this time.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3<=2.8.23+ 1 more
- (no CPE)range: <=2.8.23
- (no CPE)range: = 2.8.23
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.24.htmlmitrex_refsource_CONFIRM
- github.com/centreon/centreon/pull/6250mitrex_refsource_CONFIRM
- github.com/centreon/centreon/pull/6251mitrex_refsource_CONFIRM
- github.com/centreon/centreon/pull/6255mitrex_refsource_CONFIRM
- github.com/centreon/centreon/pull/6256mitrex_refsource_CONFIRM
- github.com/centreon/centreon/pull/6257mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.