OpenNMS Meridian 2016, 2017, 2018 before 2018.1.25, 2019 before 2019.1.16, and 2020 before 2020.1.5, Horizon 1.2 through 27.0.4, and Newts <1.5.3 has Incorrect Access Control, which allows local and remote code execution using JEXL expressions.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HOpennms Horizon
APPOpennms16.0.0 – 27.0.3Opennms Meridian
APPOpennms2016.1.0 – 2016.1.242017.1.0 – 2017.1.262018.1.0 – 2018.1.25 (bez)2019.1.0 – 2019.1.16 (bez)2020.1.0 – 2020.1.5 (bez)Opennms Newts
APPOpennms< 1.5.3
Related vulnerabilities
A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in rela...
The Horizon REST API includes a users endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on m...
A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon...
In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-...
OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snm...