Total
13 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0868 | 1 Opennms | 2 Horizon, Meridian | 2023-03-07 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting in graph results in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to steal session cookies. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0815 | 1 Opennms | 2 Horizon, Meridian | 2023-03-07 | N/A | 6.5 MEDIUM |
| Potential Insertion of Sensitive Information into Jetty Log Files in multiple versions of OpenNMS Meridian and Horizon could allow disclosure of usernames and passwords if the logging level is set to debug. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0869 | 1 Opennms | 2 Horizon, Meridian | 2023-03-03 | N/A | 6.1 MEDIUM |
| Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0867 | 1 Opennms | 2 Horizon, Meridian | 2023-03-03 | N/A | 6.1 MEDIUM |
| Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2023-0846 | 1 Opennms | 2 Horizon, Meridian | 2023-03-03 | N/A | 6.1 MEDIUM |
| Unauthenticated, stored cross-site scripting in the display of alarm reduction keys in multiple versions of OpenNMS Horizon and Meridian could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | |||||
| CVE-2021-3396 | 1 Opennms | 3 Horizon, Meridian, Newts | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions. | |||||
| CVE-2021-25934 | 1 Opennms | 2 Horizon, Meridian | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| In OpenNMS Horizon, versions opennms-18.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `createRequisitionedNode()` does not perform any validation checks on the input sent to the `node-label` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database. | |||||
| CVE-2021-25935 | 1 Opennms | 2 Horizon, Meridian | 2021-06-03 | 3.5 LOW | 5.4 MEDIUM |
| In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site Scripting, since the function `add()` performs improper validation checks on the input sent to the `foreign-source` parameter. Due to this flaw an attacker could bypass the existing regex validation and inject an arbitrary script which will be stored in the database. | |||||
| CVE-2021-25933 | 1 Opennms | 2 Horizon, Meridian | 2021-05-26 | 3.5 LOW | 4.8 MEDIUM |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `groupName` and `groupComment` parameters. Due to this flaw, an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms. | |||||
| CVE-2021-25931 | 1 Opennms | 2 Horizon, Meridian | 2021-05-26 | 6.8 MEDIUM | 8.8 HIGH |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website. | |||||
| CVE-2021-25929 | 1 Opennms | 2 Horizon, Meridian | 2021-05-26 | 3.5 LOW | 4.8 MEDIUM |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint. Due to this flaw an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files. | |||||
| CVE-2021-25930 | 1 Opennms | 2 Horizon, Meridian | 2021-05-26 | 4.3 MEDIUM | 4.3 MEDIUM |
| In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list. | |||||
| CVE-2020-11886 | 1 Opennms | 2 Horizon, Meridian | 2020-05-05 | 5.5 MEDIUM | 8.1 HIGH |
| OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snmpParm or snmpParmValue to addCriteriaForSnmpParm. This affects Horizon before 25.2.1, Meridian 2019 before 2019.1.4, Meridian 2018 before 2018.1.16, and Meridian 2017 before 2017.1.21. | |||||