CVE-2021-25931
Summary
| CVE | CVE-2021-25931 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-05-20 15:15:00 UTC |
| Updated | 2021-05-26 20:51:00 UTC |
| Description | In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2021-25931 | WhiteSource Vulnerability Database | MISC | www.whitesourcesoftware.com | |
| NMS-13231: Backport Security Issues from Last Month · OpenNMS/opennms@eb08b5e · GitHub | MISC | github.com | |
| NMS-13124: Fixed user deletion by renaming bug and CSRF privilege esc… · OpenNMS/opennms@607151e · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 983825 Java (maven) Security Update for org.opennms:opennms (GHSA-2rq5-68hm-h4j8)