CVE-2016-6555 HIGH

CVE-2016-6555: OpenNMS Stored XSS via SNMP Trap Alerts

Vendor Opennms

Product OpenNMS

Weakness CWE-79 · XSS

Published June 15, 2022

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016.

Key dates

02Disclosure timeline

June 15, 2022 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2016-6555 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2023-22933 Persistent Cross-Site Scripting through the ‘module’ Tag in a View in Splunk Enterprise CVE-2021-24503 Popular Brand SVG Icons - Simple Icons < 2.7.8 - Contributor+ Stored XSS CVE-2024-10837 SysBasics Customize My Account for WooCommerce <= 2.7.29 - Reflected Cross-Site Scripting via tab Parameter CVE-2025-32495 WordPress Waymark plugin <= 1.5.3 - Cross Site Scripting (XSS) Vulnerability CVE-2023-28836 Wagtail vulnerable to stored Cross-site Scripting attack via ModelAdmin views