CVE-2021-27676
Description
Centreon version 20.10.2 is affected by a cross-site scripting (XSS) vulnerability. The dep_description (Dependency Description) and dep_name (Dependency Name) parameters are vulnerable to stored XSS. A user has to log in and go to the Configuration > Notifications > Hosts page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
centreon/centreonPackagist | < 20.10.7 | 20.10.7 |
Affected products
2- Centreon/Centreondescription
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization of the dep_description and dep_name parameters allows stored cross-site scripting."
Attack vector
An attacker who is already authenticated to Centreon can navigate to Configuration > Notifications > Hosts and inject malicious JavaScript into the `dep_description` or `dep_name` fields [CWE-79]. Because the application does not neutralize user-controllable input before storing it, the payload is persisted in the database. When any other user (including administrators) views the same page, the stored script executes in their browser, enabling session hijacking, credential theft, or further actions within the Centreon session.
Affected code
The advisory identifies the `dep_description` (Dependency Description) and `dep_name` (Dependency Name) parameters on the Configuration > Notifications > Hosts page as vulnerable to stored XSS. The patch [patch_id=6635466] only removes `package-lock.json` files and does not contain any fix for the XSS vulnerability, so the exact source files where the parameters are rendered unsanitized are not shown in the provided diff.
What the fix does
The provided patch [patch_id=6635466] only removes `package-lock.json` files and does not contain any code change that addresses the stored XSS vulnerability. The advisory does not include a functional fix for the `dep_description` or `dep_name` parameters. Without a proper sanitization or output-encoding patch, the vulnerability remains unmitigated in the supplied diff.
Preconditions
- authAttacker must have a valid authenticated session in Centreon
- inputAttacker must access the Configuration > Notifications > Hosts page to inject the payload
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r5mf-q76q-f2xqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27676ghsaADVISORY
- centreon.comghsax_refsource_MISCWEB
- github.com/centreon/centreon/pull/9587ghsax_refsource_MISCWEB
- github.com/centreon/centreon/releases/tag/20.10.7ghsaWEB
News mentions
0No linked articles in our index yet.