Cyber Resilience

CVE-2024-45061

HighPublic PoC

Published: 15 January 2025

Published
15 January 2025
Modified
22 August 2025
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0070 72.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45061 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Observium Observium. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 27.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-45061 is a cross-site scripting (XSS) vulnerability in the weather map editor functionality of Observium Community Edition (CE) version 24.4.13528. The flaw allows arbitrary JavaScript code execution through a specially crafted HTTP request, classified under CWE-79 with a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

An attacker can exploit this vulnerability by providing a malicious link to a low-privileged authenticated user, who must click it to trigger execution (UI:R). Over the network (AV:N) with low attack complexity (AC:L), successful exploitation enables high-impact confidentiality and integrity violations (C:H/I:H) in a changed scope (S:C), such as session hijacking or data exfiltration within the victim's browser context.

Details on mitigation, including patches or workarounds, are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2092.

EU & UK References

Vulnerability details

A cross-site scripting (xss) vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided…

more

by the attacker.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

XSS enables arbitrary JavaScript execution (T1059.007) in victim browser context and directly facilitates session hijacking (T1185) via malicious link delivery to authenticated users.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-47002Same product: Observium Observium
CVE-2024-47140Same product: Observium Observium
CVE-2025-27279Shared CWE-79
CVE-2025-24541Shared CWE-79
CVE-2024-56036Shared CWE-79
CVE-2016-20032Shared CWE-79
CVE-2025-1401Shared CWE-79
CVE-2025-24416Shared CWE-79
CVE-2026-34566Shared CWE-79
CVE-2026-24744Shared CWE-79

Affected Assets

observium
observium
24.4.13528

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 mandates filtering information prior to output to web pages, directly preventing arbitrary JavaScript execution from untrusted inputs in Observium's weather map editor.

prevent

SI-10 requires validation of all information inputs, blocking specially crafted HTTP requests containing malicious JavaScript payloads targeting the weather map editor.

prevent

SI-2 ensures timely flaw remediation, such as applying the vendor patch referenced in the Talos advisory to eliminate the specific XSS vulnerability in Observium CE 24.4.13528.

References