CVE-2020-25130
Description
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. Sending an improper variable type of Array allows a bypass of core SQL Injection sanitization. Authenticated users are able to inject malicious SQL queries. This vulnerability leads to full database leak including ckeys that can be used in the authentication process without knowing the username and cleartext password. This can occur via the ajax/actions.php group_id field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Observium 20.8.10631 allows authenticated SQL injection via malformed array parameter in ajax/actions.php group_id field, leading to full database leak.
Vulnerability
An SQL injection vulnerability exists in Observium Professional, Enterprise & Community 20.8.10631 [1]. The issue is in the ajax/actions.php endpoint, where the group_id parameter is improperly sanitized when an array type is submitted. This allows bypass of core SQL injection sanitization, enabling authenticated users to inject malicious SQL queries.
Exploitation
An attacker must be an authenticated user of the Observium instance. By sending a crafted HTTP request to ajax/actions.php with the group_id parameter as an array (e.g., group_id[]=value) instead of the expected string, the application fails to properly sanitize the input. This permits the injection of SQL statements, which can be time-based or error-based to extract data [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries, leading to full disclosure of the database contents. This includes sensitive data such as authentication ckeys, which can be used to authenticate without knowing the username or cleartext password. The compromise affects the confidentiality and integrity of the entire Observium installation [1].
Mitigation
As of the publication date (2020-09-25), no official patch or fixed version has been announced in the available references [1]. Users should monitor the Observium website for updates and consider restricting access to the affected endpoint until a fix is applied. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Observium/Observium Professional, Enterprise & Communitydescription
- Range: =20.8.10631
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Core SQL injection sanitization does not handle array-typed parameters, allowing malicious SQL statements to bypass filtering."
Attack vector
An authenticated attacker sends a crafted HTTP request to `ajax/actions.php` with the `group_id` parameter supplied as an Array type rather than a normal string or integer. The core sanitization logic does not properly handle array-typed parameters, allowing the attacker to inject arbitrary SQL statements. This leads to full database extraction, including authentication ckeys that can be used to impersonate any user without knowing their username or cleartext password [ref_id=1].
Affected code
The vulnerability is located in `ajax/actions.php` where the `group_id` parameter is processed. The core SQL injection sanitization fails when the parameter is supplied as an Array type instead of a scalar, allowing malicious SQL statements to bypass filtering [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation code or vendor fix details. The recommended mitigation would be to validate that the `group_id` parameter is a scalar type before passing it to SQL queries, and to ensure the sanitization routines recursively handle array inputs.
Preconditions
- authAttacker must be an authenticated user of the Observium application
- networkAttacker must be able to send HTTP requests to ajax/actions.php
- inputThe group_id parameter must be supplied as an Array type
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- gist.github.com/mariuszpoplawski/243d1e7c07adc736bae8069fe831745cmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.