CVE-2021-25935

Name of the Vulnerable Software and Affected Versions OpenNMS Horizon versions opennms-17.0.0-1 through opennms-27.1.0-1 OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1 OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1

Description The issue is related to Stored Cross-Site Scripting. The add() function performs improper validation checks on the input sent to the foreign-source parameter, allowing an attacker to bypass existing regex validation and inject an arbitrary script that will be stored in the database.

Recommendations For OpenNMS Horizon versions opennms-17.0.0-1 through opennms-27.1.0-1, consider disabling the add() function until a patch is available to prevent exploitation. For OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1, restrict access to the foreign-source parameter to minimize the risk of script injection. For OpenNMS Meridian versions meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1, avoid using the foreign-source parameter in the affected API endpoint until the issue is resolved.