5 results (0.029 seconds)

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1

OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This issue was fixed in version 18.0.2, released on September 20, 2016. OpenNMS versiones 18.0.1 y anteriores, son vulnerables a un problema de tipo XSS almacenado debido a un filtrado insuficiente de los datos suministrados por el agente SNMP. Al crear una respuesta SNMP "sysName" o "sysContact" maliciosa, un atacante puede almacenar una carga útil de tipo XSS que será desencadenada cuando un usuario de la Interfaz web visualice los datos. • https://github.com/OpenNMS/opennms/pull/1019 https://www.rapid7.com/blog/post/2016/11/15/r7-2016-24-opennms-stored-xss-via-snmp-cve-2016-6555-cve-2016-6556 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1

OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016. OpenNMS versiones 18.0.1 y anteriores, son vulnerables a un problema de tipo XSS almacenado debido a un filtrado insuficiente de los datos suministrados por las trampas SNMP. Al crear un trap SNMP malicioso, un atacante puede almacenar una carga útil de tipo XSS que será desencadenada cuando un usuario de la Interfaz web visualice la página de la lista de eventos. • https://github.com/OpenNMS/opennms/pull/1019 https://www.rapid7.com/blog/post/2016/11/15/r7-2016-24-opennms-stored-xss-via-snmp-cve-2016-6555-cve-2016-6556 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 44EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before 1.12.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en OpenNMS anterior a 1.12.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://secunia.com/advisories/58748 http://www.opennms.org/documentation/ReleaseNotesStable.html#opennms-1.12.7 http://www.securityfocus.com/bid/67774 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 119EXPL: 0

Cross-site scripting (XSS) vulnerability in web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java in OpenNMS 1.8.x before 1.8.17, 1.9.93 and earlier, and 1.10.x before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via the Username field, related to login. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java en OpenNMS v1.8.x antes de v1.8.17, v1.9.93 y anteriores, y v1.10.x antes de v1.10.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo de nombre de usuario (Username). Se trata de un problema relacionado con el inicio de sesión. • http://fisheye.opennms.org/browse/opennms/features/springframework-security/src/main/java/org/opennms/web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java?r2=d2ce15470cb6c87c115c918eb86ef147486a9166&r1=80b80e110e4bce568fc2c6c0a15a http://issues.opennms.org/browse/NMS-5128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs http://issues.opennms.org/browse/NMS/fixforversion/10824#atl_token=BCL8-RCDX-MB62-2EZT%7C38eaf469042162355c28f5393587690a8388d556%7Clout&selectedTab=com.atlassian.jira.plugin.system.project%3Aversion-summary-pane • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 28EXPL: 7

Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before 1.5.94 allow remote attackers to inject arbitrary web script or HTML via (1) the j_username parameter to j_acegi_security_check, (2) the username parameter to notification/list.jsp, and (3) the filter parameter to event/list. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en OpenNMS anteriores a 1.5.94, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de los parámetros (1) "j_username" a j_acegi_security_check, (2)el parámetro "username" a notification/list.jsp, y (3) el parámetro "filter" a event/list. • https://www.exploit-db.com/exploits/32425 https://www.exploit-db.com/exploits/32423 https://www.exploit-db.com/exploits/32424 http://bugzilla.opennms.org/show_bug.cgi?id=2631 http://bugzilla.opennms.org/show_bug.cgi?id=2633 http://bugzilla.opennms.org/show_bug.cgi?id=2634 http://secunia.com/advisories/32019 http://www.opennms.org/documentation/ReleaseNotesUnStable.html#d788e257 http://www.securityfocus.com/bid/31410 https://exchange.xforce.ibmcloud.com/vulnerabilities/45417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •