CVE-2023-40312

Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:*
cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*
cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*
cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*

History

23 Aug 2023, 16:58

Type Values Removed Values Added
CWE CWE-79
First Time Opennms
Opennms horizon
Opennms meridian
References (MISC) https://github.com/OpenNMS/opennms/pull/6356 - (MISC) https://github.com/OpenNMS/opennms/pull/6356 - Patch, Vendor Advisory
References (MISC) https://docs.opennms.com/horizon/32/releasenotes/changelog.html - (MISC) https://docs.opennms.com/horizon/32/releasenotes/changelog.html - Release Notes
CPE cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*
cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.2

14 Aug 2023, 18:59

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-14 18:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-40312

Mitre link : CVE-2023-40312

CVE.ORG link : CVE-2023-40312


JSON object : View

Products Affected

opennms

  • meridian
  • horizon
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')