CVE-2021-25931
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website.
En OpenNMS Horizon, versiones opennms-1-0-stable hasta opennms-27.1.0-1; OpenNMS Meridian, versiones meridian-foundation-2015.1.0-1 hasta meridian-foundation-2019.1.18-1; versiones meridian-foundation-2020.1.0-1 hasta meridian-foundation-2020.1.6-1, son vulnerables a ataques de tipo CSRF, debido a que no presenta protección de tipo CSRF en el parámetro "/opennms/admin/userGroupView/users/updateUser". Este fallo permite asignar el rol de seguridad "ROLE_ADMIN" a un usuario normal. Usando este fallo, un atacante puede engañar al usuario administrador para que asigne privilegios de administrador a un usuario normal, incitándolo a hacer clic en un sitio web controlado por el atacante
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-22 CVE Reserved
- 2021-05-20 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-09-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25931 | 2024-08-03 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Opennms Search vendor "Opennms" | Horizon Search vendor "Opennms" for product "Horizon" | >= 1.0 < 27.1.1 Search vendor "Opennms" for product "Horizon" and version " >= 1.0 < 27.1.1" | - |
Affected
| ||||||
Opennms Search vendor "Opennms" | Meridian Search vendor "Opennms" for product "Meridian" | >= 2015.1.0 < 2019.1.19 Search vendor "Opennms" for product "Meridian" and version " >= 2015.1.0 < 2019.1.19" | - |
Affected
| ||||||
Opennms Search vendor "Opennms" | Meridian Search vendor "Opennms" for product "Meridian" | >= 2020.1.0 < 2020.1.7 Search vendor "Opennms" for product "Meridian" and version " >= 2020.1.0 < 2020.1.7" | - |
Affected
|