CVE-2025-8460
📋 TL;DR
This stored XSS vulnerability in Centreon Infra Monitoring allows authenticated users with elevated privileges to inject malicious scripts into notification rules and open tickets modules. When other users view these compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. Affected versions include 24.10.0-24.10.4, 24.04.0-24.04.4, and 23.10.0-23.10.3.
💻 Affected Systems
- Centreon Infra Monitoring
📦 What is this software?
Open Tickets by Centreon
Open Tickets by Centreon
Open Tickets by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker steals administrator session cookies, gains full system control, exfiltrates sensitive monitoring data, and deploys backdoors.
Likely Case
Privileged user exploits to steal other users' session tokens, escalate privileges, or perform unauthorized actions within the monitoring system.
If Mitigated
Limited to authenticated privileged users only; impact contained to monitoring interface with proper network segmentation.
🎯 Exploit Status
Requires authenticated privileged access; exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.5, 24.04.5, 23.10.4
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8460-centreon-open-tickets-medium-severity-5344
Restart Required: Yes
Instructions:
1. Backup Centreon configuration and database. 2. Update to patched version via package manager (yum update centreon or apt upgrade centreon). 3. Restart Centreon services (systemctl restart centreon). 4. Verify update via web interface version check.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input sanitization for notification rules and ticket fields.
# Requires custom development - implement proper HTML encoding for user inputs in affected modules
Privilege Reduction
allTemporarily reduce privileges for users who don't need access to notification rules and open tickets modules.
# Use Centreon ACL to restrict module access: centreon -u admin -p password -o ACL -a update
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution.
- Enable web application firewall (WAF) rules specifically blocking XSS patterns in Centreon paths.
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface (Administration > Parameters > Centreon) or command: rpm -qa | grep centreon-webCheck Version:
rpm -qa | grep centreon-web || dpkg -l | grep centreon-webVerify Fix Applied:
Confirm version is 24.10.5, 24.04.5, or 23.10.4 or higher; test XSS payload injection in notification rules.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /centreon/include/configuration/configObject/notification/*
- JavaScript patterns in notification rule updates
- Multiple failed login attempts followed by successful privileged login
Network Indicators:
- Outbound connections to suspicious domains from Centreon server
- Unusual traffic patterns to Centreon web interface
SIEM Query:
source="centreon.log" AND ("notification" OR "open tickets") AND ("script" OR "javascript" OR "onload" OR "onerror")