CVE-2021-37556: 
Centreon vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in Centreon before versions 20.04.14, 20.10.8, and 21.04.2. The vulnerability exists in the reporting export functionality and allows remote authenticated attackers with low privileges to execute arbitrary SQL commands via the start and end parameters in the include/reporting/dashboard/csvExport/csv_HostGroupLogs.php file (NVD).

The vulnerability has been assigned CVE-2021-37556 and received a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from improper validation of user-supplied input in the csv_HostGroupLogs.php file's start and end parameters, which are used in SQL queries. This vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary SQL commands on the underlying database. Given the CVSS score of 8.8, the potential impact is considered high, affecting the confidentiality, integrity, and availability of the system (NVD).

The vulnerability has been fixed in Centreon versions 20.04.14, 20.10.8, and 21.04.2. Users are advised to upgrade to these or newer versions to mitigate the risk. The fix was implemented through a patch that properly validates the input parameters (Centreon Patch).