Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN552
_____________________________________________________________________

DATE                : 27/08/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Centreon Web versions prior to
                            24.10.11, 24.04.17, 23.10.27,
                     Centreon Gorgone versions prior to 24.10.7,
                                 24.04.10, 23.10.14,
                     Centreon License Manager versions prior to
                             24.10.3, 24.04.5, 23.10.6.

=====================================================================
https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-all-versions-high-severity-4935
https://thewatch.centreon.com/latest-security-bulletins-64/centreon-gorgone-all-versions-critical-severity-4933
https://thewatch.centreon.com/latest-security-bulletins-64/centreon-license-manager-all-versions-high-severity-4904
_____________________________________________________________________

Publication date: August 25th, 2025

Components: centreon-web

Description: No password confirmation is requested when changing
password from the user profile or user management page for local
authentication.

Reference: N/A

CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Severity: High

 

Status: Fixes have been provided for all supported versions and
it is recommended to update Centreon Web on Central Server:

    Centreon Web 24.10.11
    Centreon Web 24.04.17
    Centreon Web 23.10.27

These versions include cumulative fixes from prior updates.

_____________________________________________________________________

Publication date: August 11th, 2025

Components: centreon-gorgone

Description: Command whitelist is too permissive for auto-discovery
and could be exploited by a user with priviledges on the Centreon UI
to remotely control a target.

Reference: N/A

CVSS: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Severity: Critical

 

Status: Fixes have been provided for all supported versions and
it is recommended to update Centreon Gorgone and add parameter
"no_shell_interpretation" to Gorgone configuration as documented
on Centreon Central server:

    Centreon Gorgone 24.10.7
    Centreon Gorgone 24.04.10
    Centreon Gorgone 23.10.14

These versions include cumulative fixes from prior updates.

_____________________________________________________________________

Publication date: August 7th, 2025

Components: centreon-license-manager

Description: The DOMPurify dependency is vulnerable to Prototype
Pollution. The vulnerability is due to insufficient sanitization,
allowing attackers to manipulate the prototype of JavaScript
objects, potentially leading to unexpected behavior or security
issues.

Reference:N/A

CVSS: 8.6 

Severity: High

 

Status: Fixes have been provided for all supported versions and
it is recommended to update Centreon License Manager on Centreon
Central server:

    Centreon License Manager 24.10.3
    Centreon License Manager 24.04.5
    Centreon License Manager 23.10.6

These versions include cumulative fixes from prior updates.

 

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================