In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to CSRF, due to no CSRF protection at `/opennms/admin/userGroupView/users/updateUser`. This flaw allows assigning `ROLE_ADMIN` security role to a normal user. Using this flaw, an attacker can trick the admin user to assign administrator privileges to a normal user by enticing him to click upon an attacker-controlled website.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Mend
Published: 2021-05-20T14:54:36
Updated: 2024-08-03T20:11:28.467Z
Reserved: 2021-01-22T00:00:00
Link: CVE-2021-25931
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-05-20T15:15:07.687
Modified: 2024-11-21T05:55:37.760
Link: CVE-2021-25931
Redhat
No data.