CVE-2025-12511 Overview
CVE-2025-12511 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Centreon Infra Monitoring's DSM (Dynamic Service Management) extension configuration modules. This vulnerability allows attackers with elevated privileges to inject malicious scripts that are persistently stored on the server and executed when other users access the affected pages.
Critical Impact
Authenticated attackers with high privileges can inject persistent malicious scripts into DSM configuration modules, potentially compromising privileged user sessions and enabling unauthorized actions within the monitoring infrastructure.
Affected Products
- Centreon Infra Monitoring versions 25.10.0 to before 25.10.1
- Centreon Infra Monitoring versions 24.10.0 to before 24.10.4
- Centreon Infra Monitoring versions 24.04.0 to before 24.04.8
Discovery Timeline
- 2026-01-05 - CVE-2025-12511 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-12511
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) exists within the DSM extension configuration modules of Centreon Infra Monitoring. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing malicious JavaScript code to be stored persistently in the application.
The attack requires authentication with elevated privileges but can be executed remotely over the network without user interaction. Once a malicious payload is stored, it executes whenever a victim user accesses the compromised configuration page, potentially exposing confidential information across security boundaries due to the scope change characteristic.
Root Cause
The root cause of CVE-2025-12511 is insufficient input validation and output encoding in the DSM extension configuration modules. When users with elevated privileges submit configuration data, the application fails to properly sanitize HTML and JavaScript content before storing it in the database and rendering it in web pages. This allows specially crafted input containing script tags or event handlers to be stored and later executed in the context of other users' browser sessions.
Attack Vector
The attack is network-based and requires the attacker to have high-level privileges within the Centreon platform. The attacker injects malicious JavaScript code through the DSM configuration interface, where it is stored without proper sanitization. When other users with elevated privileges access the affected configuration pages, the stored malicious script executes in their browser context.
Due to the scope change characteristic, a successful exploit can impact resources beyond the vulnerable component's security scope, potentially enabling session hijacking, credential theft, or unauthorized administrative actions. The vulnerability primarily threatens confidentiality, as indicated by the high confidentiality impact.
Detection Methods for CVE-2025-12511
Indicators of Compromise
- Unusual JavaScript code or HTML tags present in DSM configuration module data fields
- Unexpected script execution errors or browser security warnings when accessing DSM configuration pages
- Suspicious entries in web server access logs showing encoded script payloads in configuration requests
Detection Strategies
- Review DSM configuration module database entries for suspicious HTML or JavaScript content patterns such as <script>, onerror=, onload=, or javascript: URIs
- Implement Content Security Policy (CSP) headers and monitor for CSP violation reports indicating XSS attempts
- Audit privileged user activity logs for unusual configuration changes in DSM modules
Monitoring Recommendations
- Enable verbose logging for all DSM configuration module access and modifications
- Deploy web application firewall (WAF) rules to detect and block common XSS payload patterns
- Monitor browser-side security events and implement client-side JavaScript integrity checks
How to Mitigate CVE-2025-12511
Immediate Actions Required
- Upgrade Centreon Infra Monitoring to patched versions: 25.10.1, 24.10.4, or 24.04.8 depending on your current release branch
- Audit existing DSM configuration entries for any suspicious content that may have been injected
- Implement strict Content Security Policy headers to mitigate impact of any undetected stored payloads
- Review and restrict privileges for users with access to DSM configuration modules
Patch Information
Centreon has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions based on their current deployment:
- Version 25.10.1 for users on the 25.10.x branch
- Version 24.10.4 for users on the 24.10.x branch
- Version 24.04.8 for users on the 24.04.x branch
For detailed release information and download links, refer to the GitHub Centreon Releases page and the Centreon Security Bulletin.
Workarounds
- Restrict network access to the Centreon web interface to trusted IP ranges only
- Limit the number of users with elevated privileges capable of modifying DSM configurations
- Implement additional input validation at the web application firewall level to filter potential XSS payloads
- Enable and enforce Content Security Policy headers with strict script-src directives
# Example Apache configuration for Content Security Policy headers
# Add to your Centreon virtual host configuration
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self'"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
