CVE-2021-25929

Overview

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1--meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint. Due to this flaw an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files.

Details

The module `opennms` can be abused by Stored Cross-Site Scripting vulnerability since there is no validation on the input being sent to the `name` parameter in `noticeWizard` endpoint. Due to this flaw an authenticated attacker could inject arbitrary script and trick other admin users into downloading malicious files which can cause severe damage to the organization using opennms.

PoC Details

Login to the application and navigate to the “opennms/admin/notification/noticeWizard/choosePath.jsp” endpoint.
Insert the payload into the “Name" field and click on “Finish". Also add some text in the “Test Message" field since it is a mandatory field.
Now a pop-up will be presented, indicaticating the successful execution of the script.

PoC Code

<script>alert(“XSS in Choose Path")</script>

Affected Environments

opennms-1-0-stable, opennms-1.0.1 through opennms-27.1.0-1 meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1 meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1

Prevention

Upgrade to Horizon 2.7.1.1, Meridian 2020.1.7 or Meridian 2019.1.19