CVE-2025-13056 Overview
CVE-2025-13056 is a Stored Cross-Site Scripting (XSS) vulnerability affecting Centreon Infra Monitoring, specifically within the Administration ACL menu configuration modules. This vulnerability allows attackers with high privileges to inject malicious scripts that persist in the application and execute in the context of other users' browser sessions when they access the affected administrative pages.
The vulnerability stems from improper neutralization of input during web page generation (CWE-79), enabling authenticated users with administrative access to embed persistent malicious payloads within the ACL configuration interface.
Critical Impact
Privileged attackers can leverage this Stored XSS vulnerability to steal session tokens, escalate privileges, or execute arbitrary actions on behalf of other administrative users accessing the Centreon monitoring platform.
Affected Products
- Centreon Infra Monitoring versions 25.10.0 to 25.10.1 (fixed in 25.10.2)
- Centreon Infra Monitoring versions 24.10.0 to 24.10.14 (fixed in 24.10.15)
- Centreon Infra Monitoring versions 24.04.0 to 24.04.18 (fixed in 24.04.19)
Discovery Timeline
- 2026-01-05 - CVE-2025-13056 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-13056
Vulnerability Analysis
This Stored XSS vulnerability exists in the Administration ACL (Access Control List) menu configuration modules of Centreon Infra Monitoring. The vulnerability occurs because user-supplied input in the ACL configuration interface is not properly sanitized before being stored in the database and subsequently rendered in web pages.
When a privileged user with access to the Administration ACL configuration submits malicious JavaScript code through input fields, the application fails to properly encode or filter this content. The malicious payload is then stored persistently and executed whenever another user views the affected configuration page, making this a particularly dangerous form of XSS attack.
The scope change indicated in the vulnerability assessment means that exploitation can impact resources beyond the vulnerable component itself, potentially affecting other users' sessions and data within the Centreon platform.
Root Cause
The root cause of CVE-2025-13056 lies in insufficient input validation and output encoding within the ACL menu configuration modules. The application accepts and stores user-controlled data without properly sanitizing HTML and JavaScript content. When this data is rendered back to users, it is not properly escaped, allowing embedded scripts to execute in the victim's browser context.
This represents a classic Stored XSS pattern where the application trusts privileged user input without implementing proper security controls for content that will be displayed to other users.
Attack Vector
The attack is network-based and requires the attacker to have high-privilege access to the Centreon administrative interface. The exploitation flow involves:
- An attacker with administrative privileges navigates to the ACL menu configuration modules
- The attacker injects malicious JavaScript code into a vulnerable input field
- The malicious payload is stored in the application database
- When other administrative users access the affected configuration page, the stored script executes in their browser
- The executed script can steal session cookies, perform actions as the victim user, or further compromise the monitoring infrastructure
While the attack requires high privileges to initiate, it does not require user interaction from victims—the malicious script executes automatically when the affected page is loaded.
Detection Methods for CVE-2025-13056
Indicators of Compromise
- Unusual JavaScript content within ACL configuration entries or database records
- Unexpected HTTP requests originating from the Centreon web interface to external domains
- Session tokens appearing in server logs or network traffic destined for unauthorized endpoints
- Modified ACL configurations containing encoded or obfuscated script content
Detection Strategies
- Implement Content Security Policy (CSP) headers and monitor CSP violation reports for XSS attempts
- Review Centreon application logs for suspicious patterns in ACL configuration changes
- Deploy Web Application Firewall (WAF) rules to detect XSS payloads in administrative requests
- Enable audit logging for all changes to ACL configurations and review for anomalous content
Monitoring Recommendations
- Monitor database tables associated with ACL configurations for script-like content patterns
- Set up alerts for outbound connections initiated from the Centreon web server to unexpected destinations
- Track administrative user sessions for unusual activity patterns following ACL configuration access
- Implement real-time log analysis to correlate ACL modification events with suspicious client-side behavior
How to Mitigate CVE-2025-13056
Immediate Actions Required
- Upgrade Centreon Infra Monitoring to the patched version for your release branch (25.10.2, 24.10.15, or 24.04.19)
- Audit existing ACL configurations for any previously injected malicious content
- Review administrative access logs to identify potential exploitation attempts
- Restrict administrative access to the ACL configuration modules to only essential personnel
Patch Information
Centreon has released security patches addressing this vulnerability across multiple supported versions. Organizations should upgrade to the following minimum versions:
- Version 25.10.2 for the 25.10.x branch
- Version 24.10.15 for the 24.10.x branch
- Version 24.04.19 for the 24.04.x branch
For detailed release notes and download links, refer to the GitHub Centreon Release Notes. Additional vulnerability details are available in the Centreon Security Bulletin CVE-2025-13056.
Workarounds
- Implement a Web Application Firewall with XSS detection rules to filter malicious input to the ACL configuration endpoints
- Apply strict Content Security Policy headers to prevent inline script execution as an additional defense layer
- Limit network access to the Centreon administrative interface to trusted IP ranges only
- Consider temporarily disabling the ACL configuration module access until patching can be completed
# Example: Add CSP headers in Apache configuration for Centreon
# Add to your Centreon virtual host configuration
<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
