CVE-2024-47002

Vulnerability

A reflected HTML injection vulnerability exists in the VLAN management page of Observium CE version 24.4.13528. The vlan_id parameter is not properly sanitized before being reflected in the response, allowing an attacker to inject arbitrary HTML code. The vulnerability is classified as CWE-79 (Cross-site Scripting). [1]

Exploitation

An attacker must craft a malicious URL containing a specially crafted vlan_id parameter, such as `. The victim must be authenticated to Observium and click the link. No additional privileges are required beyond standard user authentication. The advisory demonstrates a reflected XSS via a GET request to /vlan/?vlan_id=...`. [1]

Impact

Successful exploitation allows the attacker to inject arbitrary HTML into the victim's browser session, potentially leading to data theft, session hijacking, or defacement. The CVSSv3 score is 8.7 (High) with confidentiality and integrity impacts rated as High, and scope changed. No impact on availability. [1]

Mitigation

As of the publication date, no official patch or workaround has been disclosed in the available references. Users should monitor the Observium project for updates and consider restricting access to the VLAN management page until a fix is released. [1]