Vulnerability Key Information Vulnerability Identifier CVE ID: CVE-2020-25148 Vulnerability Type Type: Cross Site Scripting (XSS) Occurs in: iftype Description Description: Penetration testing revealed that the application is vulnerable to Cross-Site Scripting (XSS) attacks, as it may trigger XSS payloads. Additional Information Example Request to Trigger XSS Payload: Server Response Snippet Status: HTTP/1.1 200 OK Date: Wed, 12 Aug 2020 09:48:05 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/7.0.30 Vulnerable Code Example Location: /var/opt/observium/html/pages/iftype.inc.php Vulnerability Type and Others Type: Cross Site Scripting Product Information Vendor Website: https://www.observium.org/ Affected Codebase: Professional, Enterprise & Community 20.8.10631 Affected Component: iftype Attack Type: Remote References https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf Discoverer Discoverer: Maciej Domański Verified by: Maciej Domański / AFINE.com Team