CVE-2024-47140
Published: 15 January 2025
Description
A cross-site scripting (xss) vulnerability exists in the add_alert_check page of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided by the attacker.
Security Summary
CVE-2024-47140 is a cross-site scripting (XSS) vulnerability in the add_alert_check page of Observium Community Edition (CE) version 24.4.13528. The flaw allows a specially crafted HTTP request to trigger arbitrary JavaScript code execution, classified under CWE-79. It carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, and potential for significant confidentiality and integrity impacts with changed scope.
An attacker can exploit this vulnerability by tricking an authenticated user with low privileges into clicking a malicious link. User interaction is required, but once the link is followed, the injected JavaScript executes in the victim's browser context, potentially enabling session hijacking, data theft, or further compromise within the Observium application.
Mitigation details and additional technical analysis are available in the Cisco Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2090. Security practitioners should consult this report for patch information and remediation guidance specific to affected Observium deployments.
Details
- CWE(s)