CVE-2018-19271
Description
Centreon 3.4.x (fixed in Centreon 18.10.0 and Centreon web 2.8.28) allows SQL Injection via the main.php searchH parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Centreon 3.4.x is vulnerable to SQL injection via the searchH parameter in main.php, fixed in 18.10.0 and web 2.8.28.
Vulnerability
Centreon versions 3.4.x are affected by a SQL injection vulnerability in the main.php endpoint via the searchH parameter [1]. The flaw was addressed in Centreon 18.10.0 and Centreon web 2.8.28 [1][4]. The issue originates from insufficient filtering of user-supplied input on the host list page [3][4].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to main.php with a malicious searchH parameter. No authentication is explicitly required by the description, but typical Centreon deployments require access to the web interface. The attacker must be able to reach the vulnerable endpoint; a simple GET or POST request with a SQL payload in the searchH parameter is sufficient to trigger the injection [1].
Impact
Successful exploitation allows an attacker to perform SQL injection against the Centreon database. This can lead to unauthorized access to, modification of, or deletion of sensitive monitoring data, including credentials and configuration. In some cases, SQL injection may be leveraged to achieve remote code execution or privilege escalation, depending on database permissions [1].
Mitigation
The vulnerability is fixed in Centreon 18.10.0 (released November 2018) and Centreon web 2.8.28 [1][2][4]. Users running Centreon 3.4.x should upgrade to these or later versions immediately. The security fix included adding SQL sanitization filters on the host list page parameters (hostgroup, poller, template, status) [3]. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
centreon/centreonPackagist | >= 18.0.0, < 18.10.0 | 18.10.0 |
centreon/centreonPackagist | < 2.8.28 | 2.8.28 |
Affected products
3- Range: <=2.8.27
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-79hg-357g-rrgvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19271ghsaADVISORY
- www.rootlabs.com.br/authenticated-sql-injection-in-centreon-3-4-xghsaWEB
- www.rootlabs.com.br/authenticated-sql-injection-in-centreon-3-4-x/mitrex_refsource_MISC
- documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.0.htmlghsax_refsource_CONFIRMWEB
- documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-2.8/centreon-2.8.28.htmlghsax_refsource_CONFIRMWEB
- github.com/centreon/centreon-archived/pull/6625ghsaWEB
- github.com/centreon/centreon/pull/6625mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.