Vulnerability Details : CVE-2021-25933
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-25933
- cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:*
- cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*
- cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-25933
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-25933
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
1.7
|
2.7
|
NIST |
CWE ids for CVE-2021-25933
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-25933
-
https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c
NMS-13231: Backport Security Issues from Last Month · OpenNMS/opennms@eb08b5e · GitHubPatch;Third Party Advisory
-
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933
CVE-2021-25933 | WhiteSource Vulnerability DatabaseExploit;Third Party Advisory
-
https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e
NMS-13125: Escape userId & groupId · OpenNMS/opennms@f3ebfa3 · GitHubPatch;Third Party Advisory
-
https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01,
Page not found · GitHub · GitHubPatch;Third Party Advisory
Jump to