CVE-2020-25132

Name of the Vulnerable Software and Affected Versions Observium Professional, Enterprise & Community version 20.8.10631

Description An issue in Observium allows SQL Injection due to the possibility of injecting malicious SQL statements through malformed parameter types. Specifically, sending an improper variable type Array bypasses core SQL Injection sanitization, enabling users to inject malicious statements in multiple functions. This leads to full authentication bypass, allowing any unauthorized user with access to the application to exploit the issue. The vulnerability can be exploited via the Cookie header to the default URI, within the includes/authenticate.inc.php file.

Recommendations For Observium Professional, Enterprise & Community version 20.8.10631, consider disabling the authentication functionality temporarily until a patch is available to prevent exploitation. Restrict access to the includes/authenticate.inc.php file to minimize the risk of exploitation. Avoid using the Cookie header with malicious input in the default URI until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.