CVE-2020-25130

Name of the Vulnerable Software and Affected Versions Observium Professional, Enterprise & Community version 20.8.10631

Description The issue allows for SQL Injection due to the possibility of injecting malicious SQL statements through malformed parameter types. Specifically, sending an improper variable type of Array bypasses core SQL Injection sanitization, enabling authenticated users to inject malicious SQL queries. This can lead to a full database leak, including ckeys that can be used in the authentication process without knowing the username and cleartext password, via the "ajax/actions.php" endpoint, particularly through the group id field.

Recommendations For Observium Professional, Enterprise & Community version 20.8.10631, consider disabling access to the "ajax/actions.php" endpoint until a patch is available, or restrict the group id field to prevent malicious SQL injections. At the moment, there is no information about a newer version that contains a fix for this vulnerability.