Added security-high label to match related CVE

There is a HQL Injection in the NodeListController endpoint of OpenNMS. The HQL injection requires privileges of the role "ROLE_USER" (low privilege user).
The GET parameters `snmpParmValue` and `snmpParm` are concatenated into a HQL query in the function `org.opennms.web.svclayer.support.addCriteriaForSnmpParm`.
The concatenation of user input into a database query is insecure since malicious HQL commands can be injected and arbitrary data can be read from the database.
The following Listing shows the vulnerable function.
```java
private static void addCriteriaForSnmpParm(OnmsCriteria criteria,
String snmpParm, String snmpParmValue, String snmpParmMatchType) {
criteria.createAlias("node.ipInterfaces", "ipInterface");
criteria.add(Restrictions.ne("ipInterface.isManaged", "D"));
criteria.createAlias("node.snmpInterfaces", "snmpInterface");
criteria.add(Restrictions.ne("snmpInterface.collect", "D"));
if(snmpParmMatchType.equals("contains"))

{ criteria.add(Restrictions.ilike("snmpInterface.".concat(snmpParm), snmpParmValue, MatchMode.ANYWHERE)); }

else if(snmpParmMatchType.equals("equals")) {
snmpParmValue = snmpParmValue.toLowerCase();
criteria.add(Restrictions.sqlRestriction("

{alias}

.nodeid in (select nodeid from snmpinterface where snmpcollect != 'D' and lower(snmp" + snmpParm + ") = '" + snmpParmValue + "')"));
}
}
```
When accessing the following URL we can execute the `PostgreSQL` function `pg_sleep`:
`http://192.168.56.102:8980/opennms/element/nodeList.htm?snmpParm=collect&snmpParmValue=ab%27+and+%24%24%3D%27%24%24%3Dchr(61)||chr(39)and(select+pg_sleep(6))%3A%3Atext%3Dchr(39))+--&snmpParmMatchType=equals&listInterfaces=true`

For more information see:

https://owasp.org/www-community/Hibernate