CVE-2020-11886

HIGH

OpenNMS Horizon < 25.2.1 and Meridian 2017-2019 - SQL Injection via NodeListController snmpParm

Title source: llm
STIX 2.1

Description

OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snmpParm or snmpParmValue to addCriteriaForSnmpParm. This affects Horizon before 25.2.1, Meridian 2019 before 2019.1.4, Meridian 2018 before 2018.1.16, and Meridian 2017 before 2017.1.21.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_misc
https://issues.opennms.org/browse/NMS-12572

Scores

CVSS v3 8.1
EPSS 0.0138
EPSS Percentile 69.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-89
Status published
Products (2)
opennms/horizon < 25.2.1
opennms/meridian 2017 - 2017.1.21
Published Apr 17, 2020
Tracked Since Feb 18, 2026