Observium Weather Map Editor Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the weather map editor of Observium CE version 24.4.13528. This vulnerability allows authenticated users to execute arbitrary JavaScript by clicking on a malicious link. The issue arises from improper input handling in the 'mapname' variable, which can be exploited by sending a crafted HTTP request.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected JavaScript is executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authenticated user must be persuaded to click a link that leads to 'weathermap.php' with a crafted 'mapname' parameter. This parameter should include JavaScript code, such as an 'onmouseover' event, which will trigger an alert when the link is hovered over. The request must be sent with cookies that maintain the user's session.

Remediation

Users are advised to update to the patched version of Observium CE, which is available on the Observium website.