CVE-2024-53923

Critical

Published: 23 January 2025

Published

23 January 2025

Modified

06 June 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0013 32.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in Centreon Web 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, 23.04.x before 23.04.24. A user with high privileges is able to achieve SQL injection in the form to upload media.

Security Summary

CVE-2024-53923 is a SQL injection vulnerability (CWE-89) in Centreon Web, affecting versions 24.10.x before 24.10.3, 24.04.x before 24.04.9, 23.10.x before 23.10.19, and 23.04.x before 23.04.24. The issue resides in the form used to upload media, where a user with high privileges can inject malicious SQL payloads due to inadequate input validation.

Exploitation requires an authenticated attacker with high privileges, enabling remote access over the network with low attack complexity and no additional user interaction. The vulnerability allows scope change, resulting in high impacts to confidentiality, integrity, and availability, as evidenced by its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Centreon advisories detail mitigation through upgrading to patched releases: 24.10.3, 24.04.9, 23.10.19, or 23.04.24. Further information is available in the Centreon GitHub releases page and the security bulletin on thewatch.centreon.com.

Details

CWE(s): CWE-89

Affected Products

centreon

centreon web

23.04.0 — 23.04.24 · 23.10.0 — 23.10.19 · 24.04.0 — 24.04.9

References

https://github.com/centreon/centreon/releases
Release Notes · cve@mitre.org
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-53923-centreon-web-critical-severity-4265
Vendor Advisory · cve@mitre.org