Home
HIGH: 8.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:HDefault status
unaffected
24.10.0 (semver) before 24.10.5
affected
24.04.0 (semver) before 24.04.11
affected
23.10.0 (semver) before 23.10.22
affected
23.04.0 (semver) before 23.04.27
affected
22.10.0 (semver) before 22.10.29
affected
Description
The content of a SVG file, received as input in Centreon web, was not properly checked. Allows Reflected XSS. A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request. This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.
Problem types
CWE-434 Unrestricted Upload of File with Dangerous Type
Product status
24.10.0 (semver) before 24.10.5
24.04.0 (semver) before 24.04.11
23.10.0 (semver) before 23.10.22
23.04.0 (semver) before 23.04.27
22.10.0 (semver) before 22.10.29
Credits
SpawnZii working with YesWeHack
References
thewatch.centreon.com/...575-centreon-web-high-severity-4434
github.com/centreon/centreon/releases