Severity: Medium
CVE ID: CVE-2025-9227
| Product name | Affected Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|
| OpManager OpManager Enterprise Edition OpManager Plus OpManager Plus Enterprise Edition OpManager MSP |
|||
| 128609 and below | 128610 | 22-08-2025 | |
| 128597 and below | 128598 | 29-08-2025 | |
| 128542 and below | 128543 | 21-08-2025 | |
| 128465 and below | 128466 | 22-08-2025 |
Details:
OpManager : A Stored Cross-Site Scripting (XSS) vulnerability was identified in the description field of the SNMP Trap Processor module. This issue has now been fixed. (Reported by tuannq x ngockhanhc311. Refer CVE-2025-9227)
Impact:
A user with permission to modify SNMP Trap Processor can inject malicious JavaScript code into the Description field, which executes when an admin accesses the SNMP Trap Processors page allowing the attacker to use the admin's CSRF token and session to achieve a reverse shell and remote code execution on the server.
Fix:
We have sanitized the user supplied input in the Description field of SNMP Trap Processor to prevent script injection and implemented output encoding.
Steps to upgrade:
Source and Acknowledgements:
This vulnerability was reported by tuannq x ngockhanhc311.
Kindly contact our product support teams for further details, at the email address mentioned below: