HIGH🇵🇱 Wersja polska

CVE-2021-25931

CVSS 8.8v3.1pub. 2021-05-20upd. 2025-04-30

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Opennms Horizon

    APP
    Opennms
    1.0 – 27.1.1 (bez)
  • Opennms Meridian

    APP
    Opennms
    2015.1.0 – 2019.1.19 (bez)2020.1.0 – 2020.1.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-40313HIGH7.1ten sam produkt

A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in rela...

CVE-2023-0872HIGH8.2ten sam produkt

The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on m...

CVE-2023-0870HIGH8.1ten sam produkt

A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon...

CVE-2021-3396HIGH8.8ten sam produkt

OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1...

CVE-2020-11886HIGH8.1ten sam produkt

OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snm...