CVE-2021-25933 - Vulnerability Details - OpenCVE

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Opennms	Horizon Meridian

Configuration 1 [-]

OR	cpe:2.3:a:opennms:horizon::::::::
	cpe:2.3:a:opennms:meridian::::::::
	cpe:2.3:a:opennms:meridian::::::::

No data.

References

Link	Providers
https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C
https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c
https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933

History

Wed, 30 Apr 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2021-05-20T14:59:24.000Z

Updated: 2025-04-30T20:22:32.622Z

Reserved: 2021-01-22T00:00:00.000Z

Link: CVE-2021-25933

Vulnrichment

Updated: 2024-08-03T20:11:28.503Z

NVD

Status : Modified

Published: 2021-05-20T15:15:07.720

Modified: 2025-04-30T21:15:51.057

Link: CVE-2021-25933

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "OpenNMS", "vendor": "n/a", "versions": [{"status": "affected", "version": "opennms-1-0-stable,opennms-1.0.1 through opennms-27.1.0-1,meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1,meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1"}]}], "descriptions": [{"lang": "en", "value": "In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms."}], "problemTypes": [{"descriptions": [{"description": "Cross-Site Scripting", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-20T14:59:24.000Z", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e"}, {"tags": ["x_refsource_MISC"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "ID": "CVE-2021-25933", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OpenNMS", "version": {"version_data": [{"version_value": "opennms-1-0-stable,opennms-1.0.1 through opennms-27.1.0-1,meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1,meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Scripting"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c", "refsource": "MISC", "url": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"}, {"name": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e", "refsource": "MISC", "url": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e"}, {"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933", "refsource": "MISC", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933"}, {"name": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01,", "refsource": "MISC", "url": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01,"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:11:28.503Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-30T18:49:52.571696Z", "id": "CVE-2021-25933", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T20:22:32.622Z"}}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2021-25933", "datePublished": "2021-05-20T14:59:24.000Z", "dateReserved": "2021-01-22T00:00:00.000Z", "dateUpdated": "2025-04-30T20:22:32.622Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:11:28.503Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-25933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-30T18:49:52.571696Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T18:50:12.238Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "OpenNMS", "versions": [{"status": "affected", "version": "opennms-1-0-stable,opennms-1.0.1 through opennms-27.1.0-1,meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1,meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1"}]}], "references": [{"url": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e", "tags": ["x_refsource_MISC"]}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Cross-Site Scripting"}]}], "providerMetadata": {"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend", "dateUpdated": "2021-05-20T14:59:24.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "opennms-1-0-stable,opennms-1.0.1 through opennms-27.1.0-1,meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1,meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1"}]}, "product_name": "OpenNMS"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c", "name": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c", "refsource": "MISC"}, {"url": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e", "name": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e", "refsource": "MISC"}, {"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933", "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933", "refsource": "MISC"}, {"url": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01,", "name": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01,", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Scripting"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-25933", "STATE": "PUBLIC", "ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com"}}}}, "cveMetadata": {"cveId": "CVE-2021-25933", "state": "PUBLISHED", "dateUpdated": "2025-04-30T20:22:32.622Z", "dateReserved": "2021-01-22T00:00:00.000Z", "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "datePublished": "2021-05-20T14:59:24.000Z", "assignerShortName": "Mend"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:*", "matchCriteriaId": "B38D9FCC-AF2B-46B6-9573-04EE36A2BAEB", "versionEndExcluding": "27.1.1", "versionStartIncluding": "1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBFB1241-8D42-4F61-B855-210D963B4B4E", "versionEndExcluding": "2019.1.19", "versionStartIncluding": "2015.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*", "matchCriteriaId": "492F27E1-43CF-4823-B132-DC2730CB8CEA", "versionEndExcluding": "2020.1.7", "versionStartIncluding": "2020.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms."}, {"lang": "es", "value": "En OpenNMS Horizon, versiones opennms-1-0-stable hasta opennms-27.1.0-1; OpenNMS Meridian, versiones meridian-foundation-2015.1.0-1 hasta meridian-foundation-2019.1.18-1; versiones meridian-foundation-2020.1.0-1 hasta meridian-foundation-2020.1.6-1, son vulnerables a ataques de tipo Cross-Site Scripting almacenados, ya que la funci\u00f3n \"validateFormInput()\" lleva a cabo validaciones de comprobaci\u00f3n inapropiadas en la entrada enviada a los par\u00e1metros \"groupName\" y \"groupComment\". Debido a este fallo, un atacante autenticado podr\u00eda inyectar un script arbitrario y enga\u00f1ar a otros usuarios administradores para que descarguen archivos maliciosos que pueden causar da\u00f1os severos a la organizaci\u00f3n usando opennms"}], "id": "CVE-2021-25933", "lastModified": "2025-04-30T21:15:51.057", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2021-05-20T15:15:07.720", "references": [{"source": "vulnerabilitylab@mend.io", "url": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01%2C"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25933"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}