CVE-2021-25932

Name of the Vulnerable Software and Affected Versions OpenNMS Horizon versions opennms-1-0-stable through opennms-27.1.0-1 OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1 OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1

Description The issue concerns Stored Cross-Site Scripting. The function validateFormInput() performs improper validation checks on the input sent to the userID parameter, allowing an attacker to inject an arbitrary script that will be stored in the database.

Recommendations For OpenNMS Horizon versions opennms-1-0-stable through opennms-27.1.0-1, consider disabling the validateFormInput() function until a patch is available. For OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1, restrict access to the userID parameter to minimize the risk of exploitation. For OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1, avoid using the userID parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.