CVE-2020-25146

Vulnerability

Observium Professional, Enterprise & Community version 20.8.10631 is vulnerable to Cross-Site Scripting (XSS) due to improper sanitization of the la_id parameter in the /syslog_rules URI for edit_syslog_rule. This allows an attacker to inject and store malicious JavaScript code within the application. [1]

Exploitation

An attacker can send a crafted POST request to /syslog_rules/ with a malicious payload in the la_id parameter. The attacker does not require authentication; typical Observium may require admin access to manage syslog rules. Since it's stored XSS, any user visiting the affected page will execute the script. The attacker needs to have access to create or edit syslog rules, likely administrator privileges. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or defacement. The impact is limited to the browser and the privileges of the victim user. [1]

Mitigation

As of the provided references, no official patch is mentioned. Users should update to a version beyond 20.8.10631 if a fix is available. It is recommended to apply input validation and output encoding for the la_id parameter. Check official Observium website for updates. [1]