CVE-2020-25139
Description
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for delete_syslog_rule, because of syslog_rules.inc.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Observium 20.8.10631 is vulnerable to stored XSS via the la_id parameter in the /syslog_rules URI, allowing arbitrary JavaScript injection.
Vulnerability
Observium Professional, Enterprise & Community version 20.8.10631 contains a stored Cross-Site Scripting (XSS) vulnerability in the /syslog_rules URI. The la_id parameter is not properly sanitized before being stored and later displayed, allowing an attacker to inject arbitrary JavaScript code. This occurs in syslog_rules.inc.php when performing a delete operation on syslog rules [1].
Exploitation
An attacker with access to the web interface can craft a malicious GET request to /syslog_rules with a la_id parameter containing a JavaScript payload (e.g., ``). The payload is stored and executed when the page is viewed by a victim. The attack requires no authentication if the application is exposed, or a low-privileged user to trigger the stored script [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, phishing, defacement, or theft of sensitive information. The scope is limited to the browser, but the stored nature means any user visiting the affected page is affected [1].
Mitigation
No fixed version has been disclosed in the available references. Users are advised to restrict access to the Observium web interface, apply input validation, or upgrade once a patch is released [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Observium/Observium Professional, Enterprise & Communitydescription
- Range: =20.8.10631
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- gist.github.com/mariuszpoplawski/1e7526027aec7a89e78950e5e57d007dmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.