{"id":"CVE-2021-25932","details":"In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site Scripting, since the function `validateFormInput()` performs improper validation checks on the input sent to the `userID` parameter. Due to this flaw an attacker could inject an arbitrary script which will be stored in the database.","modified":"2026-04-11T13:54:00.732950Z","published":"2021-06-01T12:15:07.787Z","references":[{"type":"FIX","url":"https://github.com/OpenNMS/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01"},{"type":"FIX","url":"https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"type":"FIX","url":"https://github.com/OpenNMS/opennms/commit/f3ebfa3da5352b4d57f238b54c6db315ad99f10e"},{"type":"EVIDENCE","url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25932"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opennms/opennms","events":[{"introduced":"9e5617454f5f5d44dcd2fff3a33b603038b52530"},{"last_affected":"131b5855eb8f9faac769718f99b3df890f6cdf34"},{"introduced":"0d3624eadab83197935d675b014fa7d8190e0258"},{"last_affected":"9192675b3a845f997d6ebdb08280328314f7386e"},{"introduced":"67c7635a68963a3005df7aedd41195eb23d9f41b"},{"last_affected":"ffc0c969cd38a879804ee43cab2909afa29c82f5"},{"fixed":"8a97e6869d6e49da18b208c837438ace80049c01"},{"fixed":"eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c"},{"fixed":"f3ebfa3da5352b4d57f238b54c6db315ad99f10e"}],"database_specific":{"versions":[{"introduced":"2015.1.0-1"},{"last_affected":"2019.1.18-1"},{"introduced":"2020.1.0-1"},{"last_affected":"2020.1.6-1"},{"introduced":"1.0"},{"last_affected":"27.1.0-1"}]}}],"versions":["meridian-foundation-2020.1.0-1","meridian-foundation-2020.1.1-1","meridian-foundation-2020.1.2-1","meridian-foundation-2020.1.3-1","meridian-foundation-2020.1.4-1","meridian-foundation-2020.1.5-1","meridian-foundation-2020.1.6-1"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"function":"renameGroup","file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"},"id":"CVE-2021-25932-04412c6e","source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c","signature_version":"v1","signature_type":"Function","digest":{"length":314,"function_hash":"144759024573714915384785318319942410353"}},{"deprecated":false,"target":{"function":"doPost","file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/RenameUserServlet.java"},"id":"CVE-2021-25932-26db798a","source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c","signature_version":"v1","signature_type":"Function","digest":{"length":378,"function_hash":"140896969588649620875571293911303623336"}},{"deprecated":false,"target":{"file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/RenameUserServlet.java"},"id":"CVE-2021-25932-41541a66","source":"https://github.com/opennms/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["89256397304596016052036103843694799455","228142828937052465100599374335507169788","253436531422684568205797174898232887867"]}},{"deprecated":false,"target":{"file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"},"id":"CVE-2021-25932-42644239","source":"https://github.com/opennms/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["58730506138354010431660930680209411599","131372045428180590852460578241088976601","107737349864204963929678012583384325367","6897653343869269317735066625920671701","220882383980174487142093456676728608479","52485355072899409265839311709820086238"]}},{"deprecated":false,"target":{"file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/AddNewUserServlet.java"},"id":"CVE-2021-25932-68900349","source":"https://github.com/opennms/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["63862115445021482406981461159020448473","192790766046859987790732110517539223001","264559957673844931483714759827957494060","187562419973017837990659765287661653505"]}},{"deprecated":false,"target":{"file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/AddNewUserServlet.java"},"id":"CVE-2021-25932-756876d8","source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["63862115445021482406981461159020448473","192790766046859987790732110517539223001","264559957673844931483714759827957494060","187562419973017837990659765287661653505"]}},{"deprecated":false,"target":{"function":"renameGroup","file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"},"id":"CVE-2021-25932-82a162d6","source":"https://github.com/opennms/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01","signature_version":"v1","signature_type":"Function","digest":{"length":314,"function_hash":"144759024573714915384785318319942410353"}},{"deprecated":false,"target":{"file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/RenameUserServlet.java"},"id":"CVE-2021-25932-84167b85","source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["89256397304596016052036103843694799455","228142828937052465100599374335507169788","253436531422684568205797174898232887867"]}},{"deprecated":false,"target":{"function":"addGroup","file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"},"id":"CVE-2021-25932-8686c0a9","source":"https://github.com/opennms/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01","signature_version":"v1","signature_type":"Function","digest":{"length":610,"function_hash":"296653347434168606010481034581794117613"}},{"deprecated":false,"target":{"file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"},"id":"CVE-2021-25932-b51ae946","source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["58730506138354010431660930680209411599","131372045428180590852460578241088976601","107737349864204963929678012583384325367","6897653343869269317735066625920671701","220882383980174487142093456676728608479","52485355072899409265839311709820086238"]}},{"deprecated":false,"target":{"function":"doPost","file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/AddNewUserServlet.java"},"id":"CVE-2021-25932-b97ea70a","source":"https://github.com/opennms/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01","signature_version":"v1","signature_type":"Function","digest":{"length":1151,"function_hash":"198479055700301882740520908056306576753"}},{"deprecated":false,"target":{"function":"addGroup","file":"opennms-webapp/src/main/java/org/opennms/web/controller/admin/group/GroupController.java"},"id":"CVE-2021-25932-cb44f906","source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c","signature_version":"v1","signature_type":"Function","digest":{"length":610,"function_hash":"296653347434168606010481034581794117613"}},{"deprecated":false,"target":{"file":"smoke-test/src/test/java/org/opennms/smoketest/UserIT.java"},"id":"CVE-2021-25932-d4ce405d","source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["215985755002245887884707550113681684850","11438173654715828717935667960271049116","176681594848500904939248140376016076557"]}},{"deprecated":false,"target":{"function":"doPost","file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/AddNewUserServlet.java"},"id":"CVE-2021-25932-eed35066","source":"https://github.com/opennms/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c","signature_version":"v1","signature_type":"Function","digest":{"length":1151,"function_hash":"198479055700301882740520908056306576753"}},{"deprecated":false,"target":{"function":"doPost","file":"opennms-webapp/src/main/java/org/opennms/web/admin/users/RenameUserServlet.java"},"id":"CVE-2021-25932-f994b4d6","source":"https://github.com/opennms/opennms/commit/8a97e6869d6e49da18b208c837438ace80049c01","signature_version":"v1","signature_type":"Function","digest":{"length":378,"function_hash":"140896969588649620875571293911303623336"}}],"vanir_signatures_modified":"2026-04-11T13:54:00Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25932.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}