GHSA-9hhc-cc6c-99hh — medium GitHub Advisory (CVE-2021-25934) in maven/org.opennms:opennms

Description

In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function createRequisitionedNode() does not perform any validation checks on the input sent to the node-label parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Not specified
Published (advisory): 2022-05-24 19:03:10 UTC
Updated: 2023-07-13 17:03:31 UTC
GitHub reviewed: 2023-07-13 17:03:30 UTC
NVD published: 2021-05-25

Score	Percentile
0.28%	51.52%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-9hhc-cc6c-99hh ↗
CVE	CVE-2021-25934 ↗

CWEs

CWE id	Name
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
maven	org.opennms:opennms	>= 18.0.0-1, <= 27.1.0-1	—	—

OpenNMS Horizon vulnerable to XSS