CVE-2021-25933

Exploit

EPSS 0.49%
Veröffentlicht 20.05.2021 15:15:07
Zuletzt bearbeitet 30.04.2025 21:15:51
Quelle vulnerabilitylab@mend.io
CVE-Watchlists
Login
Unerledigt
Login

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opennms ≫ Horizon Version >= 1.0 < 27.1.1

Opennms ≫ Meridian Version >= 2015.1.0 < 2019.1.19

Opennms ≫ Meridian Version >= 2020.1.0 < 2020.1.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.49%	0.647

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c

Patch

Third Party Advisory

https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C

https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e

Patch

Third Party Advisory

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-25933

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-25933

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-25933

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-25933