Cross site request forgery (csrf)

2021-05-2014:15:00

PRIOn knowledge base

www.prio-n.com

4.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.6%

JSON

In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection, and since there is no validation of an existing user name while renaming a user. As a result, privileges of the renamed user are being overwritten by the old user and the old user is being deleted from the user list.

CPENameOperatorVersion
horizonge1.0
horizonlt27.1.1
meridiange2020.1.0
meridianlt2020.1.7
meridiange2015.1.0
meridianlt2019.1.19

Name	Operator	Version
horizon	ge	1.0
horizon	lt	27.1.1
meridian	ge	2020.1.0
meridian	lt	2020.1.7
meridian	ge	2015.1.0
meridian	lt	2019.1.19

References

github.com/OpenNMS/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84

github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c

www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25930