{"containers": {"cna": {"affected": [{"product": "OpenNMS", "vendor": "OpenNMS", "versions": [{"lessThanOrEqual": "18.0.1", "status": "affected", "version": "18.0.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered by Matthew Kienow and disclosure was coordinated by Rapid7."}], "datePublic": "2016-09-14T00:00:00", "descriptions": [{"lang": "en", "value": "OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-15T18:35:43", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.rapid7.com/blog/post/2016/11/15/r7-2016-24-opennms-stored-xss-via-snmp-cve-2016-6555-cve-2016-6556/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenNMS/opennms/pull/1019"}], "source": {"discovery": "UNKNOWN"}, "title": "OpenNMS Stored XSS via SNMP Trap Alerts", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2016-09-14T18:18:00.000Z", "ID": "CVE-2016-6555", "STATE": "PUBLIC", "TITLE": "OpenNMS Stored XSS via SNMP Trap Alerts"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OpenNMS", "version": {"version_data": [{"version_affected": "<=", "version_name": "18.0.1", "version_value": "18.0.1"}]}}]}, "vendor_name": "OpenNMS"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered by Matthew Kienow and disclosure was coordinated by Rapid7."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://www.rapid7.com/blog/post/2016/11/15/r7-2016-24-opennms-stored-xss-via-snmp-cve-2016-6555-cve-2016-6556/", "refsource": "MISC", "url": "https://www.rapid7.com/blog/post/2016/11/15/r7-2016-24-opennms-stored-xss-via-snmp-cve-2016-6555-cve-2016-6556/"}, {"name": "https://github.com/OpenNMS/opennms/pull/1019", "refsource": "MISC", "url": "https://github.com/OpenNMS/opennms/pull/1019"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:36:28.063Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.rapid7.com/blog/post/2016/11/15/r7-2016-24-opennms-stored-xss-via-snmp-cve-2016-6555-cve-2016-6556/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenNMS/opennms/pull/1019"}]}]}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2016-6555", "datePublished": "2022-06-15T18:35:43.500923Z", "dateReserved": "2016-08-03T00:00:00", "dateUpdated": "2024-09-17T01:41:54.993Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opennms:opennms:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6E3BAC5-A23C-4751-BFD5-1DF2CEA1039D", "versionEndExcluding": "18.0.2-1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016."}, {"lang": "es", "value": "OpenNMS versiones 18.0.1 y anteriores, son vulnerables a un problema de tipo XSS almacenado debido a un filtrado insuficiente de los datos suministrados por las trampas SNMP. Al crear un trap SNMP malicioso, un atacante puede almacenar una carga \u00fatil de tipo XSS que ser\u00e1 desencadenada cuando un usuario de la Interfaz web visualice la p\u00e1gina de la lista de eventos. Este problema se ha corregido en la versi\u00f3n 18.0.2, publicada el 20 de septiembre de 2016."}], "id": "CVE-2016-6555", "lastModified": "2024-11-21T02:56:20.783", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "cve@rapid7.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-24T21:15:07.067", "references": [{"source": "cve@rapid7.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenNMS/opennms/pull/1019"}, {"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.rapid7.com/blog/post/2016/11/15/r7-2016-24-opennms-stored-xss-via-snmp-cve-2016-6555-cve-2016-6556/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenNMS/opennms/pull/1019"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.rapid7.com/blog/post/2016/11/15/r7-2016-24-opennms-stored-xss-via-snmp-cve-2016-6555-cve-2016-6556/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@rapid7.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}