CVE-2020-25146 - Vulnerability Details - OpenCVE

An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for edit_syslog_rule.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Observium	Observium

Configuration 1 [-]

OR	cpe:2.3:a:observium:observium:20.8.10631::::community:::
	cpe:2.3:a:observium:observium:20.8.10631::::enterprise:::
	cpe:2.3:a:observium:observium:20.8.10631::::professional:::

No data.

References

Link	Providers
https://gist.github.com/ahpaleus/7f6360e112e79539feb166660bbb7193

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-09-25T17:44:58

Updated: 2024-08-04T15:26:09.465Z

Reserved: 2020-09-04T00:00:00

Link: CVE-2020-25146

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-25T18:15:15.537

Modified: 2024-11-21T05:17:27.833

Link: CVE-2020-25146

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-09-22T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for edit_syslog_rule."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-09-25T17:44:58", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/ahpaleus/7f6360e112e79539feb166660bbb7193"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-25146", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for edit_syslog_rule."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gist.github.com/ahpaleus/7f6360e112e79539feb166660bbb7193", "refsource": "MISC", "url": "https://gist.github.com/ahpaleus/7f6360e112e79539feb166660bbb7193"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:26:09.465Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gist.github.com/ahpaleus/7f6360e112e79539feb166660bbb7193"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-25146", "datePublished": "2020-09-25T17:44:58", "dateReserved": "2020-09-04T00:00:00", "dateUpdated": "2024-08-04T15:26:09.465Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:observium:observium:20.8.10631:*:*:*:community:*:*:*", "matchCriteriaId": "A10D901F-6123-433A-8EB3-951C0345A24B", "vulnerable": true}, {"criteria": "cpe:2.3:a:observium:observium:20.8.10631:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C7176124-B91A-4013-8242-44374DB62624", "vulnerable": true}, {"criteria": "cpe:2.3:a:observium:observium:20.8.10631:*:*:*:professional:*:*:*", "matchCriteriaId": "93B444CB-8890-466D-B9C4-2BEC146C79CB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for edit_syslog_rule."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Observium Professional, Enterprise & Community versi\u00f3n 20.8.10631. Es vulnerable a un ataque de tipo Cross-Site Scripting (XSS) debido al hecho de que es posible inyectar y almacenar c\u00f3digo JavaScript malicioso en su interior. Esto puede ocurrir mediante la_id en el URI /syslog_rules para la funci\u00f3n edit_syslog_rule"}], "id": "CVE-2020-25146", "lastModified": "2024-11-21T05:17:27.833", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-25T18:15:15.537", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://gist.github.com/ahpaleus/7f6360e112e79539feb166660bbb7193"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://gist.github.com/ahpaleus/7f6360e112e79539feb166660bbb7193"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}