CVE-2021-25929

Severity CVSS v4.0:
Pending analysis
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
20/05/2021
Last modified:
30/04/2025

Description

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint. Due to this flaw an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:* 1.0 (including) 27.1.1 (excluding)
cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:* 2015.1.0 (including) 2019.1.19 (excluding)
cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:* 2020.1.0 (including) 2020.1.7 (excluding)