CVE-2021-25933

Name of the Vulnerable Software and Affected Versions OpenNMS Horizon versions opennms-1-0-stable through opennms-27.1.0-1 OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1 OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1

Description The issue is related to Stored Cross-Site Scripting. The function validateFormInput() performs improper validation checks on the input sent to the groupName and groupComment parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files, which can cause severe damage to the organization using OpenNMS.

Recommendations For OpenNMS Horizon versions opennms-1-0-stable through opennms-27.1.0-1, update to a version later than opennms-27.1.0-1. For OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1, update to a version later than meridian-foundation-2019.1.18-1. For OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1, update to a version later than meridian-foundation-2020.1.6-1. As a temporary workaround, consider disabling the validateFormInput() function until a patch is available. Restrict access to the groupName and groupComment parameters to minimize the risk of exploitation.