CVE-2020-25141

Vulnerability

Observium Professional, Enterprise & Community version 20.8.10631 is vulnerable to stored cross-site scripting (XSS). The vulnerability resides in the /device/device=140/tab=wifi/view= URI, where the application does not sanitize the view parameter before storing and later rendering it. An attacker can inject arbitrary JavaScript code that will be executed in the context of the affected page [1].

Exploitation

An attacker with network access to an Observium instance can craft a malicious request with a URL-encoded XSS payload in the view parameter. For example, a request like GET /device/device=140/tab=wifi/view=%3Csvg%20onload=alert(1)%3E/accesspoint=140/ HTTP/1.1 will store the payload. When the vulnerable page is subsequently loaded by any user, including administrators, the script executes in their browser session [1].

Impact

Successful exploitation leads to execution of attacker-controlled JavaScript in the browser of any user visiting the affected page. This can result in session hijacking, credential theft, defacement, or redirection to malicious sites, potentially compromising the entire Observium instance and its managed devices.

Mitigation

As of the publication date (2020-09-25), no patch has been released for CVE-2020-25141. Users should monitor the vendor's advisory channels for a fixed version. In the absence of an official fix, restricting network access to the Observium web interface and applying input validation proxies may reduce risk.