CVE-2021-25933

Public Exploit

Description

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.

References

Link	Tags
https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c	third party advisory patch
https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e	third party advisory patch
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933	third party advisory exploit
https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C

Frequently Asked Questions

What is the severity of CVE-2021-25933?: CVE-2021-25933 has been scored as a medium severity vulnerability.
How to fix CVE-2021-25933?: To fix CVE-2021-25933, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-25933 being actively exploited in the wild?: It is possible that CVE-2021-25933 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-25933?: CVE-2021-25933 affects n/a OpenNMS.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions