CVE-2021-25930

MEDIUM

OpenNMS Horizon < 27.1.1 and Meridian < 2019.1.19 - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Description

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list.

Scores

CVSS v3 4.3
EPSS 0.0063
EPSS Percentile 46.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (4)
opennms/horizon 1.0 - 27.1.1
opennms/meridian 2015.1.0 - 2019.1.19
org.opennms/opennms 1.0.0 - 27.1.1Maven
org.opennms/opennms-config 1.0.0 - 27.1.1Maven
Published May 20, 2021
Tracked Since Feb 18, 2026