CVE-2024-45061
Published: 15 January 2025
Summary
CVE-2024-45061 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Observium Observium. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 27.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-45061 is a cross-site scripting (XSS) vulnerability in the weather map editor functionality of Observium Community Edition (CE) version 24.4.13528. The flaw allows arbitrary JavaScript code execution through a specially crafted HTTP request, classified under CWE-79 with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
An attacker can exploit this vulnerability by providing a malicious link to a low-privileged authenticated user, who must click it to trigger execution (UI:R). Over the network (AV:N) with low attack complexity (AC:L), successful exploitation enables high-impact confidentiality and integrity violations (C:H/I:H) in a changed scope (S:C), such as session hijacking or data exfiltration within the victim's browser context.
Details on mitigation, including patches or workarounds, are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2092.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41319
Vulnerability details
A cross-site scripting (xss) vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided…
more
by the attacker.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS enables arbitrary JavaScript execution (T1059.007) in victim browser context and directly facilitates session hijacking (T1185) via malicious link delivery to authenticated users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 mandates filtering information prior to output to web pages, directly preventing arbitrary JavaScript execution from untrusted inputs in Observium's weather map editor.
SI-10 requires validation of all information inputs, blocking specially crafted HTTP requests containing malicious JavaScript payloads targeting the weather map editor.
SI-2 ensures timely flaw remediation, such as applying the vendor patch referenced in the Talos advisory to eliminate the specific XSS vulnerability in Observium CE 24.4.13528.