Severity: Medium
CVE ID: CVE-2025-9226
| Product name | Affected Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|
| OpManager OpManager Enterprise Edition OpManager Nexus OpManager Nexus Enterprise Edition OpManager MSP NetFlow Analyzer OpUtils |
Below 128464 Between 128510 to 128541 Between 128580 to 128581 |
28542/128570/128465/128582 | 30-06-2025 |
Details:
The stored Cross-Site Scripting (XSS) vulnerability allowed authenticated, low-privileged user with permission to modify subnet details to inject malicious JavaScript payloads. This has been fixed.
Impact:
A stored Cross-Site Scripting (XSS) vulnerability could allow a low-privileged authenticated user to inject malicious JavaScript through the subnet details input field. The injected payload may be stored and executed when other users access the affected page.
Fix:
The issue has been addressed by accurately escaping and safely rendering all user input from the subnet details field as plain text in the UI, ensuring that injected JavaScript is not executed and the XSS vulnerability is mitigated.
Steps to upgrade:
Source and Acknowledgements
This vulnerability was reported by tuannq x ngockhanhc311.
Kindly contact our product support team for further details, at the below mentioned email address: