CVE-2020-25135
Description
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via the graph_title parameter to the graphs/ URI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Observium 20.8.10631 suffers from a stored XSS vulnerability via the graph_title parameter, allowing arbitrary JavaScript execution.
Vulnerability
Observium Professional, Enterprise, and Community versions 20.8.10631 contain a stored Cross-Site Scripting (XSS) vulnerability. The issue resides in the graphs/ URI, where the graph_title parameter is insufficiently sanitized before being stored and rendered. An attacker can inject malicious JavaScript code through this parameter, which will then be executed in the context of any user viewing the affected graph page [1].
Exploitation
An attacker requires network access to the Observium instance and the ability to craft a malicious request to the graphs/ endpoint. The exploit involves sending a GET request to a URL like /graphs/type=device_processor/device=750/...?graph_title=aa'--imginfo+<img+src%3dx+onerror%3dalert(1)>aaaa. The injected payload in the graph_title parameter (URL-encoded HTML/JavaScript) is stored by the application and later rendered without proper escaping. No authentication is explicitly required for the initial injection, but the stored payload will trigger when any user (including administrators) visits the page, making it a stored (persistent) XSS [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of authenticated Observium users. This can lead to session hijacking, theft of sensitive data (e.g., device credentials, network configuration), defacement of the Observium interface, or further attacks against internal systems. The impact is significant because Observium is often used to manage critical network infrastructure, and a compromised session can grant broad visibility and control [1].
Mitigation
As of the publication date (2020-09-25), no patched version has been released for Observium 20.8.10631. Users are advised to apply input validation and output encoding on the graph_title parameter as a workaround, or to restrict access to the affected graphs/ endpoint to trusted users only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Observium Community users should monitor for an update that addresses this issue [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Observium/Observium Professional, Enterprise & Communitydescription
- Range: = 20.8.10631
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- gist.github.com/mariuszpoplawski/9eb94a617a7193c6d3b455f5348bcc1emitrex_refsource_MISC
News mentions
0No linked articles in our index yet.