CVE-2024-47140

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the add_alert_check page of Observium CE version 24.4.13528. The flaw lies in improper neutralization of the entity_type parameter. An attacker can inject arbitrary JavaScript by crafting a malicious URL that includes a payload in the entity_type parameter. The vulnerability is present in the /add_alert_check/entity_type= path [1].

Exploitation

An attacker must be an authenticated user and trick another authenticated user into clicking a specially crafted link. The attacker can craft an HTTP GET request such as GET /add_alert_check/entity_type=a'+alert(123)+'a which, when opened by a victim, executes the injected script. No special network position or privileges beyond user-level authentication are required [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser session. This can result in theft of session cookies, defacement, or other actions limited by the security context of the Observium application. The CVSS v3.1 score is 8.7 (High) with impacts to confidentiality and integrity, but no direct impact on availability [1].

Mitigation

As of the advisory publication date (January 15, 2025), no fixed version has been released. The vendor has confirmed the vulnerability, but a patch is not yet available. The affected version is Observium CE 24.4.13528. Users should monitor for updates and apply the fix when released. No workaround is provided in the available references [1].