In Centreon Web through 2.8.29, disclosure of external components' passwords allows authenticated attackers to move laterally to external components.

In very rare cases, a PHP type juggling vulnerability in centreonAuth.class.php in Centreon Web before 2.8.27 allows attackers to bypass authentication mechanisms in place.

getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.

Local file inclusion in brokerPerformance.php in Centreon Web before 2.8.28 allows attackers to disclose information or perform a stored XSS attack on a user.

makeXML_ListServices.php in Centreon Web before 2.8.28 allows attackers to perform SQL injections via the host_id parameter.

img_gantt.php in Centreon Web before 2.8.27 allows attackers to perform SQL injections via the host_id parameter.

Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware virtual machine) and OVF (aka VirtualBox virtual machine) files, allowing attackers to gain privileges via a Trojan horse Centreon-autodisco executable file that is launched by cron.

Multiple SQL injection vulnerabilities in Centreon 3.4.6 including Centreon Web 2.8.23 allow attacks via the searchU parameter in viewLogs.php, the id parameter in GetXmlHost.php, the chartId parameter in ExportCSVServiceData.php, the searchCurve parameter in listComponentTemplates.php, or the host_id parameter in makeXML_ListMetrics.php.

There is Remote Code Execution in Centreon 3.4.6 including Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in centreonGraph.class.php.

Centreon 3.4.6 including Centreon Web 2.8.23 is vulnerable to an authenticated user injecting a payload into the username or command description, resulting in stored XSS. This is related to www/include/core/menu/menu.php and www/include/configuration/configObject/command/formArguments.php.