Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for open_tickets by centreon

    CVE-2026-2749 (GCVE-0-2026-2749)

    Vulnerability from nvd – Published: 2026-02-27 15:05 – Updated: 2026-03-06 15:31
    VLAI
    Title
    Path traversal in Centreon Open Tickets
    Summary
    Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Impacted products
    Vendor Product Version
    Centreon Affected: all , < 25.10.3, 24.10.8, 24.04.7 (custom)
    Credits
    Texugo from Hakaï Security
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2749",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-27T17:27:52.270795Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-06T15:31:59.884Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://download.centreon.com",
              "defaultStatus": "unaffected",
              "modules": [
                "Centroen Open Ticket"
              ],
              "packageName": "Centreon Open Tickets on Central Server",
              "platforms": [
                "Linux"
              ],
              "vendor": "Centreon",
              "versions": [
                {
                  "lessThan": "25.10.3, 24.10.8, 24.04.7",
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Texugo from Haka\u00ef Security"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).\u003cp\u003eThis issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7.\u003c/p\u003e"
                }
              ],
              "value": "Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-27T15:05:17.203Z",
            "orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
            "shortName": "Centreon"
          },
          "references": [
            {
              "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2026-2749-centreon-open-tickets-critical-severity-5493"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Path traversal in Centreon Open Tickets",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
        "assignerShortName": "Centreon",
        "cveId": "CVE-2026-2749",
        "datePublished": "2026-02-27T15:05:17.203Z",
        "dateReserved": "2026-02-19T14:25:05.119Z",
        "dateUpdated": "2026-03-06T15:31:59.884Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8460 (GCVE-0-2025-8460)

    Vulnerability from nvd – Published: 2025-12-22 10:55 – Updated: 2026-01-05 09:51
    VLAI
    Title
    A user with elevated privileges can inject XSS in the Notification rules configuration page
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Centreon Infra Monitoring Affected: 24.10.0 , < 24.10.5 (custom)
    Affected: 24.04.0 , < 24.04.5 (custom)
    Affected: 23.10.0 , < 23.10.4 (custom)
    Create a notification for this product.
    Credits
    Marcelo Queiroz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T13:06:38.809854Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T13:07:32.339Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Notification rules",
                "Open tickets"
              ],
              "product": "Infra Monitoring",
              "vendor": "Centreon",
              "versions": [
                {
                  "lessThan": "24.10.5",
                  "status": "affected",
                  "version": "24.10.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "24.04.5",
                  "status": "affected",
                  "version": "24.04.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "23.10.4",
                  "status": "affected",
                  "version": "23.10.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Marcelo Queiroz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) \n\nallows Stored \n\nXSS by users with elevated privileges.\u003cp\u003eThis issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) \n\nallows Stored \n\nXSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-05T09:51:56.936Z",
            "orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
            "shortName": "Centreon"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/centreon/centreon/releases"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8460-centreon-open-tickets-medium-severity-5344"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A user with elevated privileges can inject XSS in the Notification rules configuration page",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
        "assignerShortName": "Centreon",
        "cveId": "CVE-2025-8460",
        "datePublished": "2025-12-22T10:55:58.934Z",
        "dateReserved": "2025-08-01T13:57:56.199Z",
        "dateUpdated": "2026-01-05T09:51:56.936Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-12514 (GCVE-0-2025-12514)

    Vulnerability from nvd – Published: 2025-12-22 10:59 – Updated: 2026-01-05 09:52
    VLAI
    Title
    A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Centreon Infra Monitoring - Open-tickets Affected: 24.10.0 , < 24.10.5 (custom)
    Affected: 24.04.0 , < 24.04.5 (custom)
    Affected: 23.10.0 , < 23.10.4 (custom)
    Create a notification for this product.
    Credits
    Marcelo Queiroz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-12514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T13:00:53.955586Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T13:03:40.534Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Notification rules configuration parameters",
                "Open tickets"
              ],
              "product": "Infra Monitoring - Open-tickets",
              "vendor": "Centreon",
              "versions": [
                {
                  "lessThan": "24.10.5",
                  "status": "affected",
                  "version": "24.10.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "24.04.5",
                  "status": "affected",
                  "version": "24.04.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "23.10.4",
                  "status": "affected",
                  "version": "23.10.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Marcelo Queiroz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows \n\nSQL Injection to user with elevated privileges.\u003cp\u003eThis issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows \n\nSQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-05T09:52:48.786Z",
            "orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
            "shortName": "Centreon"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/centreon/centreon/releases"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12514-centreon-open-tickets-high-severity-5343"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
        "assignerShortName": "Centreon",
        "cveId": "CVE-2025-12514",
        "datePublished": "2025-12-22T10:59:18.155Z",
        "dateReserved": "2025-10-30T15:26:40.360Z",
        "dateUpdated": "2026-01-05T09:52:48.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2749 (GCVE-0-2026-2749)

    Vulnerability from cvelistv5 – Published: 2026-02-27 15:05 – Updated: 2026-03-06 15:31
    VLAI
    Title
    Path traversal in Centreon Open Tickets
    Summary
    Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Impacted products
    Vendor Product Version
    Centreon Affected: all , < 25.10.3, 24.10.8, 24.04.7 (custom)
    Credits
    Texugo from Hakaï Security
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2749",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-27T17:27:52.270795Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-06T15:31:59.884Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://download.centreon.com",
              "defaultStatus": "unaffected",
              "modules": [
                "Centroen Open Ticket"
              ],
              "packageName": "Centreon Open Tickets on Central Server",
              "platforms": [
                "Linux"
              ],
              "vendor": "Centreon",
              "versions": [
                {
                  "lessThan": "25.10.3, 24.10.8, 24.04.7",
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Texugo from Haka\u00ef Security"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).\u003cp\u003eThis issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7.\u003c/p\u003e"
                }
              ],
              "value": "Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-27T15:05:17.203Z",
            "orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
            "shortName": "Centreon"
          },
          "references": [
            {
              "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2026-2749-centreon-open-tickets-critical-severity-5493"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Path traversal in Centreon Open Tickets",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
        "assignerShortName": "Centreon",
        "cveId": "CVE-2026-2749",
        "datePublished": "2026-02-27T15:05:17.203Z",
        "dateReserved": "2026-02-19T14:25:05.119Z",
        "dateUpdated": "2026-03-06T15:31:59.884Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-12514 (GCVE-0-2025-12514)

    Vulnerability from cvelistv5 – Published: 2025-12-22 10:59 – Updated: 2026-01-05 09:52
    VLAI
    Title
    A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows SQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Centreon Infra Monitoring - Open-tickets Affected: 24.10.0 , < 24.10.5 (custom)
    Affected: 24.04.0 , < 24.04.5 (custom)
    Affected: 23.10.0 , < 23.10.4 (custom)
    Create a notification for this product.
    Credits
    Marcelo Queiroz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-12514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T13:00:53.955586Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T13:03:40.534Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Notification rules configuration parameters",
                "Open tickets"
              ],
              "product": "Infra Monitoring - Open-tickets",
              "vendor": "Centreon",
              "versions": [
                {
                  "lessThan": "24.10.5",
                  "status": "affected",
                  "version": "24.10.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "24.04.5",
                  "status": "affected",
                  "version": "24.04.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "23.10.4",
                  "status": "affected",
                  "version": "23.10.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Marcelo Queiroz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows \n\nSQL Injection to user with elevated privileges.\u003cp\u003eThis issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Centreon Infra Monitoring - Open-tickets (Notification rules configuration parameters, Open tickets modules) allows \n\nSQL Injection to user with elevated privileges.This issue affects Infra Monitoring - Open-tickets: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-66 SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-05T09:52:48.786Z",
            "orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
            "shortName": "Centreon"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/centreon/centreon/releases"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12514-centreon-open-tickets-high-severity-5343"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A user with elevated privileges is able to introduce a SQL Injection using the Open-tickets Notification rules configuration parameters",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
        "assignerShortName": "Centreon",
        "cveId": "CVE-2025-12514",
        "datePublished": "2025-12-22T10:59:18.155Z",
        "dateReserved": "2025-10-30T15:26:40.360Z",
        "dateUpdated": "2026-01-05T09:52:48.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8460 (GCVE-0-2025-8460)

    Vulnerability from cvelistv5 – Published: 2025-12-22 10:55 – Updated: 2026-01-05 09:51
    VLAI
    Title
    A user with elevated privileges can inject XSS in the Notification rules configuration page
    Summary
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) allows Stored XSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Centreon Infra Monitoring Affected: 24.10.0 , < 24.10.5 (custom)
    Affected: 24.04.0 , < 24.04.5 (custom)
    Affected: 23.10.0 , < 23.10.4 (custom)
    Create a notification for this product.
    Credits
    Marcelo Queiroz
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-22T13:06:38.809854Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-22T13:07:32.339Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Notification rules",
                "Open tickets"
              ],
              "product": "Infra Monitoring",
              "vendor": "Centreon",
              "versions": [
                {
                  "lessThan": "24.10.5",
                  "status": "affected",
                  "version": "24.10.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "24.04.5",
                  "status": "affected",
                  "version": "24.04.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "23.10.4",
                  "status": "affected",
                  "version": "23.10.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Marcelo Queiroz"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) \n\nallows Stored \n\nXSS by users with elevated privileges.\u003cp\u003eThis issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Centreon Infra Monitoring (Notification rules, Open tickets module) \n\nallows Stored \n\nXSS by users with elevated privileges.This issue affects Infra Monitoring: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.5, from 23.10.0 before 23.10.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-05T09:51:56.936Z",
            "orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
            "shortName": "Centreon"
          },
          "references": [
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://github.com/centreon/centreon/releases"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8460-centreon-open-tickets-medium-severity-5344"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A user with elevated privileges can inject XSS in the Notification rules configuration page",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
        "assignerShortName": "Centreon",
        "cveId": "CVE-2025-8460",
        "datePublished": "2025-12-22T10:55:58.934Z",
        "dateReserved": "2025-08-01T13:57:56.199Z",
        "dateUpdated": "2026-01-05T09:51:56.936Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }