CVE-2021-25933
20.05.2021, 15:15
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.
| Vendor | Product | Version |
|---|---|---|
| opennms | horizon | 1.0 ≤ 𝑥 < 27.1.1 |
| opennms | meridian | 2015.1.0 ≤ 𝑥 < 2019.1.19 |
| opennms | meridian | 2020.1.0 ≤ 𝑥 < 2020.1.7 |
𝑥
= Vulnerable software versions
References