CVE-2021-25932

low-risk

Published 2021-06-01

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.

Do I need to act?

0.26% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Meridian

Opennms

Affected Vendors

Opennms

References (8)

Patch https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c...

Patch https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa9...

Patch https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f1...

Exploit https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25932

Patch https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c...

Patch https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa9...

Patch https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f1...

Exploit https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25932

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 7/34 · Low