CVE-2025-4648

Description

The content of a SVG file, received as input in Centreon web, was not properly checked. Allows Reflected XSS. A user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request. This issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected products

Centreon / web24.10.0 – 24.10.5
Centreon / web24.04.0 – 24.04.11
Centreon / web23.10.0 – 23.10.22
Centreon / web23.04.0 – 23.04.27
Centreon / web22.10.0 – 22.10.29

References

MISChttps://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55575-centreon-web-high-severity-4434
PATCHhttps://github.com/centreon/centreon/releases