CVE-2021-25931

Name of the Vulnerable Software and Affected Versions OpenNMS Horizon versions opennms-1-0-stable through opennms-27.1.0-1 OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1 OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1

Description The issue is related to a lack of CSRF protection at the /opennms/admin/userGroupView/users/updateUser API endpoint. This flaw allows an attacker to assign the ROLE ADMIN security role to a normal user. An attacker can trick an admin user into assigning administrator privileges to a normal user by enticing them to click on an attacker-controlled website.

Recommendations For OpenNMS Horizon versions opennms-1-0-stable through opennms-27.1.0-1, update to a version that includes the fix for this issue. For OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1, update to a version that includes the fix for this issue. For OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the /opennms/admin/userGroupView/users/updateUser API endpoint to minimize the risk of exploitation.