First published: Thu May 20 2021(Updated: )
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list.
Credit: vulnerabilitylab@mend.io vulnerabilitylab@mend.io
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.opennms:opennms-config | >=1.0.0<27.1.1 | 27.1.1 |
maven/org.opennms:opennms | >=1.0.0<27.1.1 | 27.1.1 |
OpenNMS Horizon | >=1.0<27.1.1 | |
OpenNMS Meridian | >=2015.1.0<2019.1.19 | |
OpenNMS Meridian | >=2020.1.0<2020.1.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-25930.
The severity level of CVE-2021-25930 is medium with a score of 4.3.
OpenNMS Horizon versions opennms-1-0-stable through opennms-27.1.1 are affected by CVE-2021-25930.
OpenNMS Meridian versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1, and meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are affected by CVE-2021-25930.
Yes, CSRF protection is missing in OpenNMS Horizon and OpenNMS Meridian, making them vulnerable to CSRF attacks.
The CWE ID for this vulnerability is 352.
To fix the CVE-2021-25930 vulnerability, update OpenNMS Horizon and OpenNMS Meridian to versions 27.1.1 or above.