Skip to main content

OpenMNS Horizon CVE-2025-53121

| EUVDEUVD-2025-19231 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-06-26 security@opennms.com
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
A

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
33.1.6,2024.2.6
EUVD ID Assigned
Mar 15, 2026 - 23:54 euvd
EUVD-2025-19231
Analysis Generated
Mar 15, 2026 - 23:54 vuln.today
CVE Published
Jun 26, 2025 - 19:15 nvd
MEDIUM 6.9

DescriptionCVE.org

Multiple stored XSS were found on different nodes with unsanitized parameters in OpenMNS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page. The solution is to upgrade to Horizon 33.1.6, 33.1.7 or Meridian 2024.2.6, 2024.2.7 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Fábio Tomé for reporting this issue.

Analysis

Multiple stored XSS were found on different nodes with unsanitized parameters in OpenMNS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page. The solution is to upgrade to Horizon 33.1.6, 33.1.7 or Meridian 2024.2.6, 2024.2.7 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Fábio Tomé for reporting this issue.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Share

CVE-2025-53121 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy