CVE-2025-53121 - Multiple stored XSS in OpenNMS Horizon

1. Vulnerability Properties

Title: Multiple stored XSS in OpenNMS Horizon
CVE ID: CVE-2025-53121
CVSSv4 Base Score: 6.9 AV:A/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Vendor: The OpenNMS Group
Products: OpenNMS Horizon
Advisory Release Date: 26/06/2025
Advisory URL: https://labs.integrity.pt/advisories/cve-2025-53121
Credits: Discovery by Fábio Tomé fabio.tome@devoteam.com

2. Vulnerability Summary

OpenNMS is an open-source network monitoring platform to visualize and monitor your local and distributed networks. Multiple stored XSS were found on different nodes with unsanitized parameters in OpenNMS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page.

4. Vulnerable Versions

>= 33.0.8, <= 33.1.6

5. Solution

Upgrade to Horizon 33.1.6, 33.1.7 or Meridian 2024.2.6, 2024.2.7 or newer

6. Vulnerability Timeline

26/04/2024 - Bug reported to OpenNMS
13/04/2025 - Bug verified by OpenNMS
22/04/2025 - Solved by OpenNMS
26/06/2025 - Advisory released

7. References

https://opennms.atlassian.net/browse/NMS-17875
https://github.com/OpenNMS/opennms/pull/7708
https://github.com/advisories/GHSA-cjcp-5fq7-pgm2
https://nvd.nist.gov/vuln/detail/CVE-2025-53121



© 2025 INTEGRITY S.A. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.