Form Can Be Manipulated with Cross-Site Request Forgery (CSRF)
Description
A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. This can potentially allow an attacker to gain access to confidential information and compromise integrity. The solution is to upgrade to Meridian 2023.1.1 or Horizon 31.0.6 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opennms:opennms-webappMaven | < 31.0.6 | 31.0.6 |
Affected products
3- The OpenNMS Group/Horizonv5Range: 31.0.6
- The OpenNMS Group/Meridianv5Range: 2020.1.0
Patches
Vulnerability mechanics
Root cause
"Missing CSRF tokens on three administrative POST forms and missing endpoint registration in the CSRF protection configuration allow cross-site request forgery."
Attack vector
An attacker can craft a malicious web page that, when visited by an authenticated OpenNMS administrator, submits a forged POST request to one of the unprotected endpoints (`/admin/addNewInterface`, `/admin/deleteSelNodes`, or `/admin/manageNodes`). Because these endpoints lacked CSRF protection [patch_id=1641145], the browser would automatically include the victim's session cookie, allowing the attacker to add network interfaces, delete selected nodes, or manage nodes without the administrator's consent. The advisory notes that OpenNMS is intended for private networks, but an attacker who gains a foothold inside the network or tricks an internal user can exploit this cross-site request forgery to compromise confidentiality and integrity.
Affected code
The vulnerability affects three JSP forms in the OpenNMS web application: `admin/newInterface.jsp`, `admin/delete.jsp`, and `admin/manage.jsp`. These forms submit POST requests to the endpoints `/admin/addNewInterface`, `/admin/deleteSelNodes`, and `/admin/manageNodes` respectively. The forms were missing CSRF tokens, and the corresponding POST endpoints were not listed in the CSRF-protected URL matchers in `applicationContext-spring-security.xml`.
What the fix does
The patch adds a hidden CSRF token field (`${_csrf.parameterName}` with value `${_csrf.token}`) to each of the three vulnerable forms in `newInterface.jsp`, `delete.jsp`, and `manage.jsp`. It also registers the three POST endpoints (`/admin/addNewInterface`, `/admin/deleteSelNodes`, `/admin/manageNodes`) in the Spring Security CSRF protection configuration within `applicationContext-spring-security.xml`. This ensures that any POST request to these endpoints must include a valid CSRF token, preventing cross-site request forgery attacks.
Preconditions
- authThe attacker must trick an authenticated OpenNMS administrator into visiting a malicious page while the administrator has an active session.
- networkThe victim's browser must be able to reach the OpenNMS web application (e.g., both are on the same private network).
- inputThe attacker must craft a form or script that submits a POST request to one of the unprotected endpoints.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.