CVE-2015-7856
https://notcve.org/view.php?id=CVE-2015-7856
OpenNMS has a default password of rtc for the rtc account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. OpenNMS tiene una contraseña por defecto de rtc para la cuenta rtc, lo que hace más fácil para atacantes remotos obtener acceso aprovechando conocer las credenciales. • http://www.opennms.org/wiki/CVE-2015-0975 http://www.rapid7.com/db/modules/auxiliary/gather/opennms_xxe • CWE-255: Credentials Management Errors •
CVE-2014-3960
https://notcve.org/view.php?id=CVE-2014-3960
Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before 1.12.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de XSS en OpenNMS anterior a 1.12.7 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://secunia.com/advisories/58748 http://www.opennms.org/documentation/ReleaseNotesStable.html#opennms-1.12.7 http://www.securityfocus.com/bid/67774 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-0936
https://notcve.org/view.php?id=CVE-2012-0936
Cross-site scripting (XSS) vulnerability in web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java in OpenNMS 1.8.x before 1.8.17, 1.9.93 and earlier, and 1.10.x before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via the Username field, related to login. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java en OpenNMS v1.8.x antes de v1.8.17, v1.9.93 y anteriores, y v1.10.x antes de v1.10.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo de nombre de usuario (Username). Se trata de un problema relacionado con el inicio de sesión. • http://fisheye.opennms.org/browse/opennms/features/springframework-security/src/main/java/org/opennms/web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java?r2=d2ce15470cb6c87c115c918eb86ef147486a9166&r1=80b80e110e4bce568fc2c6c0a15a http://issues.opennms.org/browse/NMS-5128?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs http://issues.opennms.org/browse/NMS/fixforversion/10824#atl_token=BCL8-RCDX-MB62-2EZT%7C38eaf469042162355c28f5393587690a8388d556%7Clout&selectedTab=com.atlassian.jira.plugin.system.project%3Aversion-summary-pane • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-6095
https://notcve.org/view.php?id=CVE-2008-6095
Cross-site scripting (XSS) vulnerability in surveillanceView.htm in OpenNMS 1.5.94 allows remote attackers to inject arbitrary web script or HTML via the viewName parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el archivo surveillanceView.htm en OpenNMS v1.5.94 que permite a los atacantes remotos inyectar arbitrariamente una secuencia de comandos web o HTML a través del parámetro viewName. • http://bugzilla.opennms.org/show_bug.cgi?id=2760 http://secunia.com/advisories/32101 http://www.opennms.org/documentation/ReleaseNotesUnStable.html http://www.securityfocus.com/bid/31539 https://exchange.xforce.ibmcloud.com/vulnerabilities/45616 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-4320 – OpenNMS 1.5.x - 'filter' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-4320
Multiple cross-site scripting (XSS) vulnerabilities in OpenNMS before 1.5.94 allow remote attackers to inject arbitrary web script or HTML via (1) the j_username parameter to j_acegi_security_check, (2) the username parameter to notification/list.jsp, and (3) the filter parameter to event/list. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en OpenNMS anteriores a 1.5.94, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de los parámetros (1) "j_username" a j_acegi_security_check, (2)el parámetro "username" a notification/list.jsp, y (3) el parámetro "filter" a event/list. • https://www.exploit-db.com/exploits/32425 https://www.exploit-db.com/exploits/32423 https://www.exploit-db.com/exploits/32424 http://bugzilla.opennms.org/show_bug.cgi?id=2631 http://bugzilla.opennms.org/show_bug.cgi?id=2633 http://bugzilla.opennms.org/show_bug.cgi?id=2634 http://secunia.com/advisories/32019 http://www.opennms.org/documentation/ReleaseNotesUnStable.html#d788e257 http://www.securityfocus.com/bid/31410 https://exchange.xforce.ibmcloud.com/vulnerabilities/45417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •