CVE-2025-53121 MEDIUM

CVE-2025-53121: Stored XSS in multiple 33.0.8files in opennms/opennms

Vendor The Opennms Group
Product Horizon
Weakness CWE-79 · XSS
Published June 26, 2025
Last update June 26, 2025
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

What the vulnerability does

01Description

Multiple stored XSS were found on different nodes with unsanitized parameters in OpenMNS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page. The solution is to upgrade to Horizon 33.1.6, 33.1.7 or Meridian 2024.2.6, 2024.2.7 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Fábio Tomé for reporting this issue.

Key dates

02Disclosure timeline

June 26, 2025 CVE published
June 26, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-29110 Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious strings in the home application. CVE-2024-10768 PHPGurukul Online Shopping Portal two_tables.php cross site scripting CVE-2025-3253 xujiangfei admintwo insertTree cross site scripting CVE-2025-5678 Kadence Blocks – Gutenberg Blocks for Page Builder Features <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via `redirectURL` Parameter CVE-2024-56221 WordPress WPMozo Addons Lite for Elementor plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability