CVE-2020-25143
Description
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. This can occur via /ajax/device_entities.php?entity_type=netscalervsvr&device_id[]= because of /ajax/device_entities.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Observium 20.8.10631 is vulnerable to authenticated SQL injection via malformed array parameters in /ajax/device_entities.php, leading to full database leak.
Vulnerability
An SQL injection vulnerability exists in Observium Professional, Enterprise & Community 20.8.10631. It occurs in /ajax/device_entities.php when the device_id parameter is sent as an array (e.g., device_id[]=) with entity_type=netscalervsvr. This malformed parameter type bypasses core SQL injection sanitization, allowing injection of malicious SQL statements [1].
Exploitation
An authenticated attacker can exploit this by crafting a request with the device_id parameter as an array containing SQL injection payloads. No debug parameter is required [1]. The attack does not require special privileges beyond authentication.
Impact
Successful exploitation leads to full database disclosure, including sensitive data such as ckeys which can be used to impersonate users without knowing their passwords. This compromises confidentiality and integrity of the Observium instance [1].
Mitigation
As of the publication date, no fix has been disclosed in the available references. Users should monitor Observium releases for a patch addressing this issue [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Observium/Observium Professional, Enterprise & Communitydescription
- Range: =20.8.10631
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Core SQL injection sanitization does not handle array-type parameters, allowing malicious SQL statements to bypass filtering when passed as array values."
Attack vector
An authenticated attacker sends a crafted HTTP request to `/ajax/device_entities.php` with `entity_type=netscalervsvr` and passes `device_id[]` as an array parameter rather than a scalar value. Because the core sanitization does not properly handle array-type parameters, the attacker can inject malicious SQL statements through the array values. This allows union-based SQL injection, leading to full database extraction including authentication keys (ckeys) that can be used to impersonate users without knowing their passwords [ref_id=1].
Affected code
The vulnerability is in `/ajax/device_entities.php`. When the `entity_type` parameter is set to `netscalervsvr` and the `device_id[]` parameter is passed as an array (e.g., `device_id[]=`), the core SQL injection sanitization fails to properly handle the array type, allowing malicious SQL statements to be injected [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory recommends that the application's core sanitization logic be updated to properly handle array-type parameters, as the current implementation only sanitizes scalar values and allows array parameters to bypass SQL injection filtering entirely [ref_id=1].
Preconditions
- authAttacker must be authenticated to Observium
- inputAttacker must send a crafted HTTP request with an array-type parameter (device_id[])
- configTarget must be running Observium Professional, Enterprise, or Community 20.8.10631
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- gist.github.com/ahpaleus/e75388086061ce52616967ba9ec63820mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.