CVE-2020-25131

Vulnerability

Observium Professional, Enterprise & Community version 20.8.10631 is vulnerable to stored Cross-Site Scripting (XSS). The vulnerability exists in the roles management functionality, where the role_name and role_descr parameters are not properly sanitized before being stored and later displayed. This allows an attacker to inject arbitrary JavaScript code that will execute in the context of any user viewing the affected roles page [1].

Exploitation

An attacker with network access to the Observium web interface can exploit this vulnerability by sending a crafted POST request to the /roles/ endpoint with malicious JavaScript payload in the role_name or role_descr parameters. The request does not require authentication if the endpoint is publicly accessible, but in typical deployments, the attacker would need to be an authenticated user with permissions to manage roles. The injected script is stored in the application and executed whenever the roles page is loaded by another user [1].

Impact

Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser. This can result in session hijacking, data theft (including credentials), defacement of the application, or other malicious actions performed within the victim's session. The scope of compromise is limited to the browser context of the Observium application [1].

Mitigation

As of the publication date (2020-09-25), no official patch has been released by Observium to address this vulnerability. Users are advised to sanitize input to the role_name and role_descr parameters, restrict access to the roles management page to trusted administrators, or upgrade to a newer version if it becomes available. No workarounds are documented in the reference [1].