Introduction
Attackers with basic user credentials can compromise the integrity of Centreon monitoring data by exploiting a SQL injection flaw in the event logs module. This vulnerability allows malicious payloads to be inserted into the database, potentially leading to unauthorized data access or manipulation across monitored systems.
Centreon is a widely used IT monitoring platform, deployed by enterprises and service providers to track the health and status of critical infrastructure. Its open-source and commercial offerings are popular due to their flexibility and integration capabilities. However, Centreon's history includes several notable security issues, making timely patching and security best practices essential for its user base.
Technical Information
CVE-2025-6791 is a second-order SQL injection vulnerability found in the monitoring event logs page of Centreon Web. The flaw is caused by improper neutralization of special elements used in SQL commands, classified under CWE-89. Attackers can alter HTTP requests to insert crafted payloads into the database. These payloads are not executed immediately but are stored and later processed by vulnerable SQL queries in the event logs module. When the application subsequently retrieves and processes this data, the malicious SQL executes, potentially exposing or altering sensitive monitoring information.
Key technical points:
- The vulnerability requires authenticated access but does not require elevated privileges.
- Exploitation involves submitting specially crafted input via HTTP requests to the event logs page.
- The injected payload is stored in the database and executed during later operations (second-order injection).
- The root cause is insufficient input sanitization and lack of parameterized queries in the affected module.
No public vulnerable code snippets are available at this time. The attack complexity is low, and exploitation can be achieved by any authenticated user with access to the monitoring event logs interface.
Patch Information
In response to the identified vulnerability, the DOMPurify team released version 3.2.4, which includes a crucial fix to address the mXSS-style bypass. The core of this fix involves modifying the regular expression used for detecting template literals. The previous regex pattern was:
/\$\{[^}]+\}/g
This pattern was susceptible to bypasses under certain configurations. To enhance security, the regex was updated to:
/\$\{[^}]+\}/
By removing the global flag (g), the new pattern ensures that only the first occurrence of a template literal is matched, preventing potential bypasses that could exploit multiple matches. This change effectively mitigates the risk associated with the incorrect template literal regular expression.
Additionally, version 3.2.4 introduces a feature allowing for the removal of specific hooks, providing developers with more granular control over the sanitization process. This enhancement is particularly useful for applications requiring customized sanitization logic.
To benefit from these improvements and ensure robust protection against mXSS vulnerabilities, it is strongly recommended to upgrade to DOMPurify version 3.2.4 or later. This update not only addresses the identified security issue but also enhances the library's flexibility and reliability in handling complex sanitization scenarios.
Patch source: https://github.com/cure53/DOMPurify/releases/tag/3.2.4
Affected Systems and Versions
- Centreon Web 24.10.0 before 24.10.9
- Centreon Web 24.04.0 before 24.04.16
- Centreon Web 23.10.0 before 23.10.26
Any deployment running these versions or earlier within the specified ranges is vulnerable if the monitoring event logs module is accessible to authenticated users.
Vendor Security History
Centreon has experienced multiple critical vulnerabilities in recent years, including:
- CVE-2024-23119: SQL injection in insertGraphTemplate function (CVSS 8.8)
- CVE-2020-10945: Session identifier exposure and cross-site scripting
- Other SQL injection and authentication bypass issues across various modules
The vendor typically responds with coordinated disclosures and timely patches, but the recurrence of similar flaws highlights persistent challenges in input validation and secure development practices.