CVE-2025-13056: Centreon Infra Monitoring XSS Vulnerability

CVE-2025-13056 Overview

CVE-2025-13056 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Centreon Infra Monitoring, specifically within the Administration ACL menu configuration modules. This vulnerability allows attackers with high privileges to inject malicious scripts that persist in the application and execute in the context of other users' browser sessions when they access the affected administrative pages.

The vulnerability stems from improper neutralization of input during web page generation (CWE-79), enabling authenticated users with administrative access to embed persistent malicious payloads within the ACL configuration interface.

Critical Impact
Privileged attackers can leverage this Stored XSS vulnerability to steal session tokens, escalate privileges, or execute arbitrary actions on behalf of other administrative users accessing the Centreon monitoring platform.

Affected Products

Centreon Infra Monitoring versions 25.10.0 to 25.10.1 (fixed in 25.10.2)
Centreon Infra Monitoring versions 24.10.0 to 24.10.14 (fixed in 24.10.15)
Centreon Infra Monitoring versions 24.04.0 to 24.04.18 (fixed in 24.04.19)

Discovery Timeline

2026-01-05 - CVE-2025-13056 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-13056

Vulnerability Analysis

This Stored XSS vulnerability exists in the Administration ACL (Access Control List) menu configuration modules of Centreon Infra Monitoring. The vulnerability occurs because user-supplied input in the ACL configuration interface is not properly sanitized before being stored in the database and subsequently rendered in web pages.

When a privileged user with access to the Administration ACL configuration submits malicious JavaScript code through input fields, the application fails to properly encode or filter this content. The malicious payload is then stored persistently and executed whenever another user views the affected configuration page, making this a particularly dangerous form of XSS attack.

The scope change indicated in the vulnerability assessment means that exploitation can impact resources beyond the vulnerable component itself, potentially affecting other users' sessions and data within the Centreon platform.

Root Cause

The root cause of CVE-2025-13056 lies in insufficient input validation and output encoding within the ACL menu configuration modules. The application accepts and stores user-controlled data without properly sanitizing HTML and JavaScript content. When this data is rendered back to users, it is not properly escaped, allowing embedded scripts to execute in the victim's browser context.

This represents a classic Stored XSS pattern where the application trusts privileged user input without implementing proper security controls for content that will be displayed to other users.

Attack Vector

The attack is network-based and requires the attacker to have high-privilege access to the Centreon administrative interface. The exploitation flow involves:

An attacker with administrative privileges navigates to the ACL menu configuration modules
The attacker injects malicious JavaScript code into a vulnerable input field
The malicious payload is stored in the application database
When other administrative users access the affected configuration page, the stored script executes in their browser
The executed script can steal session cookies, perform actions as the victim user, or further compromise the monitoring infrastructure

While the attack requires high privileges to initiate, it does not require user interaction from victims—the malicious script executes automatically when the affected page is loaded.

Detection Methods for CVE-2025-13056

Indicators of Compromise

Unusual JavaScript content within ACL configuration entries or database records
Unexpected HTTP requests originating from the Centreon web interface to external domains
Session tokens appearing in server logs or network traffic destined for unauthorized endpoints
Modified ACL configurations containing encoded or obfuscated script content

Detection Strategies

Implement Content Security Policy (CSP) headers and monitor CSP violation reports for XSS attempts
Review Centreon application logs for suspicious patterns in ACL configuration changes
Deploy Web Application Firewall (WAF) rules to detect XSS payloads in administrative requests
Enable audit logging for all changes to ACL configurations and review for anomalous content

Monitoring Recommendations

Monitor database tables associated with ACL configurations for script-like content patterns
Set up alerts for outbound connections initiated from the Centreon web server to unexpected destinations
Track administrative user sessions for unusual activity patterns following ACL configuration access
Implement real-time log analysis to correlate ACL modification events with suspicious client-side behavior

How to Mitigate CVE-2025-13056

Immediate Actions Required

Upgrade Centreon Infra Monitoring to the patched version for your release branch (25.10.2, 24.10.15, or 24.04.19)
Audit existing ACL configurations for any previously injected malicious content
Review administrative access logs to identify potential exploitation attempts
Restrict administrative access to the ACL configuration modules to only essential personnel

Patch Information

Centreon has released security patches addressing this vulnerability across multiple supported versions. Organizations should upgrade to the following minimum versions:

Version 25.10.2 for the 25.10.x branch
Version 24.10.15 for the 24.10.x branch
Version 24.04.19 for the 24.04.x branch

For detailed release notes and download links, refer to the GitHub Centreon Release Notes. Additional vulnerability details are available in the Centreon Security Bulletin CVE-2025-13056.

Workarounds

Implement a Web Application Firewall with XSS detection rules to filter malicious input to the ACL configuration endpoints
Apply strict Content Security Policy headers to prevent inline script execution as an additional defense layer
Limit network access to the Centreon administrative interface to trusted IP ranges only
Consider temporarily disabling the ACL configuration module access until patching can be completed

bash

# Example: Add CSP headers in Apache configuration for Centreon
# Add to your Centreon virtual host configuration
<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

CVE-2025-13056 Overview

Critical Impact
Privileged attackers can leverage this Stored XSS vulnerability to steal session tokens, escalate privileges, or execute arbitrary actions on behalf of other administrative users accessing the Centreon monitoring platform.

Affected Products

Centreon Infra Monitoring versions 25.10.0 to 25.10.1 (fixed in 25.10.2)
Centreon Infra Monitoring versions 24.10.0 to 24.10.14 (fixed in 24.10.15)
Centreon Infra Monitoring versions 24.04.0 to 24.04.18 (fixed in 24.04.19)

Discovery Timeline

2026-01-05 - CVE-2025-13056 published to NVD
2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-13056

Vulnerability Analysis

Root Cause

This represents a classic Stored XSS pattern where the application trusts privileged user input without implementing proper security controls for content that will be displayed to other users.

Attack Vector

The attack is network-based and requires the attacker to have high-privilege access to the Centreon administrative interface. The exploitation flow involves:

An attacker with administrative privileges navigates to the ACL menu configuration modules
The attacker injects malicious JavaScript code into a vulnerable input field
The malicious payload is stored in the application database
When other administrative users access the affected configuration page, the stored script executes in their browser
The executed script can steal session cookies, perform actions as the victim user, or further compromise the monitoring infrastructure

While the attack requires high privileges to initiate, it does not require user interaction from victims—the malicious script executes automatically when the affected page is loaded.

Detection Methods for CVE-2025-13056

Indicators of Compromise

Unusual JavaScript content within ACL configuration entries or database records
Unexpected HTTP requests originating from the Centreon web interface to external domains
Session tokens appearing in server logs or network traffic destined for unauthorized endpoints
Modified ACL configurations containing encoded or obfuscated script content

Detection Strategies

Implement Content Security Policy (CSP) headers and monitor CSP violation reports for XSS attempts
Review Centreon application logs for suspicious patterns in ACL configuration changes
Deploy Web Application Firewall (WAF) rules to detect XSS payloads in administrative requests
Enable audit logging for all changes to ACL configurations and review for anomalous content

Monitoring Recommendations

Monitor database tables associated with ACL configurations for script-like content patterns
Set up alerts for outbound connections initiated from the Centreon web server to unexpected destinations
Track administrative user sessions for unusual activity patterns following ACL configuration access
Implement real-time log analysis to correlate ACL modification events with suspicious client-side behavior

How to Mitigate CVE-2025-13056

Immediate Actions Required

Upgrade Centreon Infra Monitoring to the patched version for your release branch (25.10.2, 24.10.15, or 24.04.19)
Audit existing ACL configurations for any previously injected malicious content
Review administrative access logs to identify potential exploitation attempts
Restrict administrative access to the ACL configuration modules to only essential personnel

Patch Information

Centreon has released security patches addressing this vulnerability across multiple supported versions. Organizations should upgrade to the following minimum versions:

Version 25.10.2 for the 25.10.x branch
Version 24.10.15 for the 24.10.x branch
Version 24.04.19 for the 24.04.x branch

For detailed release notes and download links, refer to the GitHub Centreon Release Notes. Additional vulnerability details are available in the Centreon Security Bulletin CVE-2025-13056.

Workarounds

Implement a Web Application Firewall with XSS detection rules to filter malicious input to the ACL configuration endpoints
Apply strict Content Security Policy headers to prevent inline script execution as an additional defense layer
Limit network access to the Centreon administrative interface to trusted IP ranges only
Consider temporarily disabling the ACL configuration module access until patching can be completed

bash

# Example: Add CSP headers in Apache configuration for Centreon
# Add to your Centreon virtual host configuration
<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

CVE-2025-13056: Centreon Infra Monitoring XSS Vulnerability

CVE-2025-13056 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-13056

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-13056

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-13056

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-13056: Centreon Infra Monitoring XSS Vulnerability

CVE-2025-13056 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-13056

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-13056

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-13056

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform