VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 25, 2020· Updated Aug 4, 2024

CVE-2020-25142

CVE-2020-25142

Description

An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable if any links and forms lack an unpredictable CSRF token. Without such a token, attackers can forge malicious requests, such as for adding Device Settings via the /addsrv URI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Observium 20.8.10631 lacks CSRF tokens, allowing attackers to forge requests to add device settings via /addsrv.

Vulnerability

Observium Professional, Enterprise & Community version 20.8.10631 lacks an unpredictable CSRF token in links and forms. Specifically, the /addsrv endpoint does not include a token, making it vulnerable to cross-site request forgery. [1]

Exploitation

An attacker can craft a malicious HTML page or email that, when visited by an authenticated Observium user, submits a forged POST request to /addsrv to add device settings. No authentication or special privileges are needed beyond tricking a logged-in user. [1]

Impact

Successful exploitation allows an attacker to add arbitrary device settings, potentially leading to unauthorized configuration changes or further compromise of the Observium instance. [1]

Mitigation

As of the publication date (2020-09-25), no patch has been released. Users should monitor for updates from Observium. Until a fix is available, consider implementing additional CSRF protections such as same-site cookies or custom middleware. [1]

References
  1. CVE-2020-25142.txt

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Observium/Observium Professional, Enterprise & Communitydescription
  • Observium/Observium CEllm-fuzzy
    Range: =20.8.10631

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.