CVE-2025-53121
MEDIUMOpenNMS Horizon < 33.1.6 and Meridian < 2024.2.6 - Stored Cross-Site Scripting via Unsanitized Node Parameters
Title source: llmDescription
Multiple stored XSS were found on different nodes with unsanitized parameters in OpenMNS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page. The solution is to upgrade to Horizon 33.1.6, 33.1.7 or Meridian 2024.2.6, 2024.2.7 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Fábio Tomé for reporting this issue.
References (2)
Core 2
Core References
Various Sources
https://github.com/OpenNMS/opennms
Issue Tracking
https://github.com/OpenNMS/opennms/pull/7708
Scores
CVSS v4
6.9
EPSS
0.0021
EPSS Percentile
11.0%
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (6)
The OpenNMS Group/Horizon
< 33.0.8
The OpenNMS Group/Horizon
33.0.8 - 33.1.6, 33.1.7
The OpenNMS Group/Meridian
2023.0.0 - 2023.1.20
The OpenNMS Group/Meridian
2023.1.20 - 2024.2.6, 2024.2.7
The OpenNMS Group/Meridian
2024.0.0 - 2024.1.4
The OpenNMS Group/Meridian
2024.1.4 - 2024.2.6, 2024.2.7
Published
Jun 26, 2025
Tracked Since
Feb 18, 2026