{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "24.10.0" }, { "fixed": "24.10.5" } ] }, "events": [ { "introduced": "38e3f869ec4005acb857c92e3e2671bfa60879b4" }, { "fixed": "d16d4cf9526f77dc4b4b72814bc5695f5a0321e2" } ], "repo": "https://github.com/centreon/centreon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "24.04.0" }, { "fixed": "24.04.11" } ] }, "events": [ { "introduced": "7b39edd9d115eabe0fae2b4bd1aded1889dbb6c3" }, { "fixed": "c1442423f2e7305d86e36414c1c76ccec628f8e5" } ], "repo": "https://github.com/centreon/centreon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "23.10.0" }, { "fixed": "23.10.22" } ] }, "events": [ { "introduced": "755448bcd365969a97e902b856a1e5f56d80adaa" }, { "fixed": "c14b0793bb339b0b21396b6f4ebe1357845910e8" } ], "repo": "https://github.com/centreon/centreon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "23.04.0" }, { "fixed": "23.04.27" } ] }, "events": [ { "introduced": "272591f468f73162aa9d790799d68db86648ac2e" }, { "fixed": "8bfdef2578d58069821828a79f8deada255d30ab" } ], "repo": "https://github.com/centreon/centreon", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "22.10.0" }, { "fixed": "22.10.29" } ] }, "events": [ { "introduced": "424c7902ba197d695862042500e5ee98e241baa6" }, { "fixed": "a26b16dd17d9195855132dbfe1ab6663cc7cfb2e" } ], "repo": "https://github.com/centreon/centreon", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "Centreon", "cwe_ids": [ "CWE-434" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/4xxx/CVE-2025-4648.json" }, "details": "The content of a SVG file, received as input \n\nin Centreon web, was not properly checked. Allows Reflected XSS.\nA user with elevated privileges can inject JS script by altering the content of a SVG media, during the submit request.\nThis issue affects web: from 24.10.0 before 24.10.5, from 24.04.0 before 24.04.11, from 23.10.0 before 23.10.22, from 23.04.0 before 23.04.27, from 22.10.0 before 22.10.29.", "id": "CVE-2025-4648", "modified": "2026-04-01T23:09:20.911434473Z", "published": "2025-05-13T09:45:41.519Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/4xxx/CVE-2025-4648.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4648" }, { "type": "ADVISORY", "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55575-centreon-web-high-severity-4434" }, { "type": "PACKAGE", "url": "https://github.com/centreon/centreon/releases" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "A user with elevated privileges can inject XSS by altering the content of a SVG media during the submit request." }