CVE-2020-25143

Name of the Vulnerable Software and Affected Versions Observium Professional, Enterprise & Community version 20.8.10631

Description An issue was discovered that allows SQL Injection due to the possibility of injecting malicious SQL statements in malformed parameter types. This can occur via the "ajax/device entities.php" endpoint, specifically when the device id parameter is manipulated, as seen in the example "/ajax/device entities.php?entity type=netscalervsvr&device id[]=".

Recommendations For Observium Professional, Enterprise & Community version 20.8.10631, as a temporary workaround, consider restricting access to the "/ajax/device entities.php" endpoint to minimize the risk of exploitation. Avoid using the device id parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.