Infra Monitoring
Monthly
Server-Side Template Injection in Centreon's centreon-open-tickets module enables authenticated users to achieve remote code execution on the Centreon Infra Monitoring server. The message_confirm field is persisted without sanitization and later rendered by the Smarty template engine with no security policy applied, so injected template directives execute as server-side code. Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and no EPSS score supplied, but the low authentication barrier and RCE outcome make this a high-priority patch.
Server-Side Template Injection in Centreon's centreon-open-tickets module enables authenticated users to achieve remote code execution on the Centreon Infra Monitoring server. The message_confirm field is persisted without sanitization and later rendered by the Smarty template engine with no security policy applied, so injected template directives execute as server-side code. Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and no EPSS score supplied, but the low authentication barrier and RCE outcome make this a high-priority patch.