CVE-2020-25137

Vulnerability

Observium Professional, Enterprise & Community version 20.8.10631 is vulnerable to stored Cross-Site Scripting (XSS). The vulnerability resides in the /alert_check endpoint, where the alert_name or alert_message parameters are not properly sanitized. This allows an attacker to inject and store malicious JavaScript code within the application. The affected versions are 20.8.10631 of all Observium editions (Professional, Enterprise, Community) [1].

Exploitation

An attacker with network access to the Observium web interface can exploit this vulnerability by crafting a POST request to /alert_check with a payload in the alert_name or alert_message parameter. No special authentication level beyond a valid session is required to access the alert configuration functionality. The injected script is stored and executed when the alert is viewed by other users, leading to persistent XSS. The provided proof-of-concept request demonstrates the attack through a standard HTTP POST with a simple XSS payload [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, defacement, or other client-side attacks. The stored nature of the XSS means the payload persists and can affect any user who accesses the affected alert, potentially including administrators [1].

Mitigation

As of the publication date (2020-09-25), no official patched version has been released by Observium. The vendor has acknowledged the issue but no fix is documented in the available references. Administrators should monitor Observium security advisories for updates and consider restricting access to the alert management interface to trusted users. Input validation and output encoding should be applied to the alert_name and alert_message fields as a workaround [1].