CVE-2020-25147
Description
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to SQL Injection due to the fact that it is possible to inject malicious SQL statements in malformed parameter types. This can occur via username[0] to the default URI, because of includes/authenticate.inc.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Observium 20.8.10631 is vulnerable to unauthenticated SQL injection via malformed array parameters in the authentication module.
Vulnerability
Observium Professional, Enterprise & Community version 20.8.10631 contains a SQL injection vulnerability in the authentication module. The issue resides in includes/authenticate.inc.php where the username parameter is not properly sanitized when passed as an array (e.g., username[0]). This allows an attacker to inject malicious SQL statements by sending a malformed parameter type, bypassing the core SQL injection sanitization. The vulnerability affects both the Community and Pro versions [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the default URI with the username parameter as an array containing malicious SQL. No authentication or special privileges are required. The attacker can inject arbitrary SQL queries, and the injection works even without the debug parameter. The proof of concept demonstrates that sending an array type bypasses the sanitization [1].
Impact
Successful exploitation leads to full database disclosure, including sensitive data such as user credentials and authentication keys (ckeys). An attacker can extract the entire database contents, potentially gaining unauthorized access to the system without knowing usernames or plaintext passwords. The impact is high, as it compromises confidentiality and integrity of the application's data [1].
Mitigation
As of the publication date (2020-09-25), no official patch has been released. Users are advised to monitor the Observium website for updates. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Until a fix is available, consider restricting network access to the Observium web interface or implementing a web application firewall (WAF) to block malicious SQL injection attempts [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Observium/Observium Professional, Enterprise & Communitydescription
- Range: =20.8.10631
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Core SQL injection sanitization does not properly handle array-type parameters, allowing malicious SQL statements to be injected via malformed parameter types."
Attack vector
An unauthenticated attacker sends a crafted HTTP request to the default URI where the `username` parameter is supplied as an array type (e.g., `username[0]=...`) rather than a string. The core sanitization routine in `includes/authenticate.inc.php` fails to properly handle this malformed parameter type, allowing SQL injection [ref_id=1]. This enables the attacker to extract the full database, including ckeys that can be used for authentication without knowing the username or password [ref_id=1].
Affected code
The vulnerable code resides in `includes/authenticate.inc.php`, where the `username` parameter is processed [ref_id=1]. The core SQL injection sanitization routine fails to properly handle array-type parameters, allowing injection when the parameter is supplied as an array (e.g., `username[0]`) instead of a string [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation code or vendor fix details. The recommended remediation would be to ensure that the sanitization logic in `includes/authenticate.inc.php` properly validates that parameters expected to be strings are not supplied as arrays, and to apply parameterized queries or prepared statements to prevent SQL injection.
Preconditions
- authNo authentication required
- networkAttacker must be able to send HTTP requests to the Observium web interface
- inputThe username parameter must be supplied as an array type (e.g., username[0]=value)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- gist.github.com/ahpaleus/c9ee1108d146a94470f191fc423bee10mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.