CVE-2021-25935

MEDIUM

OpenNMS Horizon 17.0.0-27.1.0 and Meridian 2015.1.0-2019.1.18 - Stored Cross-Site Scripting via Foreign Source Parameter

Title source: llm
STIX 2.1

Description

In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. Due to this flaw an attacker could bypass the existing regex validation and inject an arbitrary script which will be stored in the database.

Scores

CVSS v3 5.4
EPSS 0.0091
EPSS Percentile 55.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
opennms/horizon 17.0.0 - 27.1.0
opennms/meridian 2015.1.0 - 2019.1.18
Published May 25, 2021
Tracked Since Feb 18, 2026