OpenNMS Meridian/Horizon XSS vPre 2023.1.0 / 31.0.4
CVE-2023-0867 Published on February 23, 2023
Multiple stored and reflected Cross-site Scripting in webapp
Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
Vulnerability Analysis
Weakness Types
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-0867 has been classified to as a XSS vulnerability or weakness.
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2023-0867
stack.watch emails you whenever new vulnerabilities are published in Opennms Horizon or Opennms Meridian. Just hit a watch button to start following.
Affected Versions
The OpenNMS Group Meridian:- Version 2020.1.0 and below 2020.1.32 is affected.
- Version 2021.1.0 and below 2021.1.24 is affected.
- Version 2022.1.0 and below 2022.1.13 is affected.
- Version 2023.1.0 is unaffected.
- Version 26.0.0 and below 31.0.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.