Cross-site scripting in outage/list.htm
Description
Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4 or newer.
Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opennms:opennms-web-apiMaven | <= 31.0.3 | — |
Affected products
3- The OpenNMS Group/Horizonv5Range: 29.0.0
- The OpenNMS Group/Meridianv5Range: 2022.1.0
Patches
Vulnerability mechanics
Root cause
"Missing URL-encoding of HTTP parameter names in the makeQueryString method allows injection of arbitrary HTML/JavaScript into generated query strings."
Attack vector
An attacker can craft an HTTP request to the `/outage/list.htm` endpoint with a malicious parameter name containing HTML/JavaScript payloads (e.g., `">
Affected code
The vulnerability is in the `makeQueryString` method in `opennms-web-api/src/main/java/org/opennms/web/api/Util.java`. This method constructs HTTP query strings from request parameters but did not URL-encode the parameter *names* before appending them to the buffer. The test file `opennms-webapp/src/test/java/org/opennms/web/outage/filter/WebOutageRepositoryFilterIT.java` demonstrates the attack by injecting a parameter name containing `">
What the fix does
The patch adds a single call to `Util.encode(name)` on the parameter name in `makeQueryString` [patch_id=1641146]. Previously, only the parameter *values* were URL-encoded via `Util.encode(values[i])`, but the `name` was appended raw. By encoding the name as well, any HTML metacharacters (quotes, angle brackets) injected into a parameter name are percent-encoded, preventing them from being interpreted as markup when the query string is embedded in a page. The accompanying test verifies that the resulting query string contains no `"`, `'`, `
Preconditions
- networkThe attacker must be able to send HTTP requests to the OpenNMS web interface (though the advisory notes the software is intended for private networks and should not be directly Internet-accessible).
- inputThe attacker must supply a parameter name containing HTML/JavaScript payload characters such as quotes or angle brackets.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.