Maciej Domański

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** The issue allows for Cross-Site Scripting (XSS) due to the possibility of injecting and storing malicious JavaScript code. This can occur via a "/device/device=140/tab=wifi/view=" URI, which is an API endpoint. The `device`, `tab`, and `view` variables are involved in this process. **Recommendations** For Observium Professional, Enterprise & Community version 20.8.10631, consider restricting access to the "/device/device=140/tab=wifi/view=" API endpoint until a fix is available. As a temporary workaround, avoid using the `device`, `tab`, and `view` variables in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** The issue allows attackers to forge malicious requests due to the lack of an unpredictable CSRF token in links and forms. This can be exploited to perform actions such as adding Device Settings via the "/addsrv" API endpoint. **Recommendations** For Observium Professional, Enterprise & Community version 20.8.10631, consider implementing an unpredictable CSRF token in all links and forms to prevent malicious requests. As a temporary workaround, restrict access to the "/addsrv" URI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** An issue was discovered that allows SQL Injection due to the possibility of injecting malicious SQL statements in malformed parameter types. This can occur via the "ajax/device entities.php" endpoint, specifically when the `device id` parameter is manipulated, as seen in the example "/ajax/device entities.php?entity type=netscalervsvr&device id[]=". **Recommendations** For Observium Professional, Enterprise & Community version 20.8.10631, as a temporary workaround, consider restricting access to the "/ajax/device entities.php" endpoint to minimize the risk of exploitation. Avoid using the `device id` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** An issue in the software allows for directory traversal and local file inclusion due to unrestricted file loading with an inc.php extension. This can lead to Remote Code Execution via "API Endpoints" such as /apps/?app=../. **Recommendations** For version 20.8.10631, consider restricting access to the /apps/ endpoint to minimize the risk of exploitation. As a temporary workaround, restrict the possibility of loading any file with an inc.php extension until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** The issue allows for directory traversal and local file inclusion due to unrestricted file loading with an inc.php extension. This can lead to Remote Code Execution. The vulnerability can be exploited via URIs such as "/device/device=345/?tab=ports&view=../" because of device/port.inc.php. **Recommendations** For Observium Professional, Enterprise & Community version 20.8.10631, restrict access to the device/port.inc.php file to minimize the risk of exploitation. Avoid using the `view` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** The issue allows for Cross-Site Scripting (XSS) due to the possibility of injecting and storing malicious JavaScript code. This can occur via the `la id` variable to the "/syslog rules" API endpoint for the edit syslog rule functionality. **Recommendations** For Observium Professional, Enterprise & Community version 20.8.10631, consider restricting access to the `/syslog rules` API endpoint to minimize the risk of exploitation, and avoid using the `la id` variable in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** The issue allows for SQL Injection due to the possibility of injecting malicious SQL statements in malformed parameter types. This can occur via the `username[0]` parameter to the default URI, because of includes/authenticate.inc.php. **Recommendations** For Observium Professional, Enterprise & Community version 20.8.10631, avoid using the `username[0]` parameter in the affected default URI until the issue is resolved. Consider temporarily restricting access to the includes/authenticate.inc.php file as a quick mitigation measure.

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** The issue allows for Cross-Site Scripting (XSS) due to the possibility of injecting and storing malicious JavaScript code. This can occur via the "/iftype/type=" endpoint because of the pages/iftype.inc.php file. **Recommendations** For version 20.8.10631, consider restricting access to the "/iftype/type=" endpoint until a patch is available. As a temporary workaround, avoid using the iftype.inc.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Observium Professional, Enterprise & Community version 20.8.10631 **Description** The issue allows for directory traversal and local file inclusion due to unrestricted file loading with an inc.php extension. This can lead to Remote Code Execution. The vulnerability can be exploited via the API endpoint "/device/device=345/?tab=health&metric=../" because of the device/health.inc.php file. **Recommendations** For Observium Professional, Enterprise & Community version 20.8.10631, restrict access to the device/health.inc.php file to minimize the risk of exploitation. Avoid using the metric parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.