CVE-2020-25138

Vulnerability

Observium (Professional, Enterprise & Community) version 20.8.10631 contains a stored cross-site scripting (XSS) vulnerability in the pages/alert_check.inc.php script. The alert_test_id parameter in the delete_alert_checker action is not properly sanitized, allowing an attacker to inject malicious JavaScript code. The vulnerability is triggered when the crafted input is stored and later rendered in the browser [1].

Exploitation

An attacker can craft a URL with a malicious payload in the alert_test_id parameter, such as test1337%3Csvg%20onload=alert(document.domain)%3E. By sending a GET request to /alert_check/action=delete_alert_checker/alert_test_id=/confirm=1/, the payload is stored and executed when a user (e.g., an administrator) views the affected page. No authentication is explicitly required to trigger the stored XSS, but the impact depends on the privileges of the viewing user [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data, or other malicious actions performed within the Observium application [1].

Mitigation

As of the publication date (September 25, 2020), no official patch has been released. Users should monitor Observium's official channels for updates. In the absence of a fix, input validation and output encoding should be implemented for the alert_test_id parameter. Disabling or restricting access to the vulnerable endpoint may reduce risk [1].