CVE-2021-25934

Name of the Vulnerable Software and Affected Versions OpenNMS Horizon versions opennms-18.0.0-1 through opennms-27.1.0-1 OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1 OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1

Description The issue is related to Stored Cross-Site Scripting. The createRequisitionedNode() function does not validate input sent to the node-label parameter, allowing an attacker to inject arbitrary scripts that will be stored in the database.

Recommendations For OpenNMS Horizon versions opennms-18.0.0-1 through opennms-27.1.0-1, consider disabling the createRequisitionedNode() function until a patch is available. For OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1, restrict access to the node-label parameter to minimize the risk of exploitation. For OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1, avoid using the node-label parameter in the affected API endpoint until the issue is resolved.