CVE-2024-45061

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the weather map editor functionality of Observium CE version 24.4.13528 (and possibly earlier versions). The mapname HTTP GET parameter in /weathermap.php is not properly sanitized before being reflected in the page response, allowing an attacker to inject arbitrary JavaScript code [1].

Exploitation

An authenticated attacker can craft a malicious URL containing a specially crafted mapname value, for example: GET /weathermap.php?mapname=XXX%22%20onmouseover=alert(1)%20%22xx. An authenticated victim must then click or be tricked into following this link while logged into Observium. No additional privileges beyond standard user authentication are required for the attacker to prepare the payload [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution within the context of the victim's browser session. This can be used to steal session cookies, perform actions on behalf of the victim, or deface the web interface. The CVSSv3 score is 8.7, with a vector of AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, indicating high impact on confidentiality and integrity [1].

Mitigation

As of the publication date (2025-01-15), no fixed version has been announced by the vendor. Users should avoid clicking untrusted links while authenticated, and apply input validation as a workaround if possible. The product version 24.4.13528 is confirmed vulnerable; users should monitor the official Observium website for patch releases [1].