Title: Multiple stored XSS in OpenNMS Horizon
CVE ID: CVE-2025-53121
CVSSv4 Base Score: 6.9 AV:A/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Vendor: The OpenNMS Group
Products: OpenNMS Horizon
Advisory Release Date: 26/06/2025
Advisory URL: https://labs.integrity.pt/advisories/cve-2025-53121
Credits: Discovery by Fábio Tomé fabio.tome@devoteam.com
OpenNMS is an open-source network monitoring platform to visualize and monitor your local and distributed networks. Multiple stored XSS were found on different nodes with unsanitized parameters in OpenNMS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page.
>= 33.0.8, <= 33.1.6
Upgrade to Horizon 33.1.6, 33.1.7 or Meridian 2024.2.6, 2024.2.7 or newer
26/04/2024 - Bug reported to OpenNMS
13/04/2025 - Bug verified by OpenNMS
22/04/2025 - Solved by OpenNMS
26/06/2025 - Advisory released
https://opennms.atlassian.net/browse/NMS-17875
https://github.com/OpenNMS/opennms/pull/7708
https://github.com/advisories/GHSA-cjcp-5fq7-pgm2
https://nvd.nist.gov/vuln/detail/CVE-2025-53121
© 2025 INTEGRITY S.A. All rights reserved. | Cookie Policy