CVE-2015-1561 — Centreon Command Injection

Description

The `escape_command` function in `include/Administration/corePerformance/getStats.php` in Centreon (formerly Merethis Centreon) 2.5.4 and earlier (offending file deleted in Centreon 19.10.0) uses an incorrect regular expression, which allows remote authenticated users to execute arbitrary commands via shell metacharacters in the `ns_id` parameter.

How to fix CVE-2015-1561

To remediate CVE-2015-1561, upgrade the affected package to a fixed version below.

—upgrade to 2.8.28 or later

Is CVE-2015-1561 being exploited?

Moderate — EPSS is 5.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.8.28

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-1561
PATCHgithub.com/centreon/centreon-archived
WEBpacketstormsecurity.com/files/132607/Merethis-Centreon-2.5.4-SQL-Injection-Remote-Command-Execution.html
WEBforge.centreon.com/projects/centreon/repository/revisions/387dffdd051dbc7a234e1138a9d06f3089bb55bb