Show filters
32 Total Results
Displaying 21-30 of 32
Sort by:
Attacker Value
Unknown
CVE-2021-25930
Disclosure Date: May 20, 2021 (last updated November 28, 2024)
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list.
0
Attacker Value
Unknown
CVE-2021-3396
Disclosure Date: February 17, 2021 (last updated November 28, 2024)
OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions.
0
Attacker Value
Unknown
CVE-2020-1652
Disclosure Date: July 08, 2020 (last updated November 28, 2024)
OpenNMS is accessible via port 9443
0
Attacker Value
Unknown
CVE-2020-12760
Disclosure Date: May 11, 2020 (last updated October 06, 2023)
An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.
0
Attacker Value
Unknown
CVE-2020-11886
Disclosure Date: April 17, 2020 (last updated November 27, 2024)
OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snmpParm or snmpParmValue to addCriteriaForSnmpParm. This affects Horizon before 25.2.1, Meridian 2019 before 2019.1.4, Meridian 2018 before 2018.1.16, and Meridian 2017 before 2017.1.21.
0
Attacker Value
Unknown
CVE-2016-6556
Disclosure Date: September 14, 2016 (last updated November 29, 2024)
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This issue was fixed in version 18.0.2, released on September 20, 2016.
0
Attacker Value
Unknown
CVE-2016-6555
Disclosure Date: September 14, 2016 (last updated November 29, 2024)
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016.
0
Attacker Value
Unknown
CVE-2015-7856
Disclosure Date: October 16, 2015 (last updated October 05, 2023)
OpenNMS has a default password of rtc for the rtc account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
0
Attacker Value
Unknown
CVE-2014-3960
Disclosure Date: June 04, 2014 (last updated October 05, 2023)
Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before 1.12.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
0
Attacker Value
Unknown
CVE-2012-0936
Disclosure Date: January 29, 2012 (last updated October 04, 2023)
Cross-site scripting (XSS) vulnerability in web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java in OpenNMS 1.8.x before 1.8.17, 1.9.93 and earlier, and 1.10.x before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via the Username field, related to login.
0