Mikeluengo

**Name of the Vulnerable Software and Affected Versions** OpenTSDB version 2.3.0 **Description** An issue was discovered where many parameters to the "/q" URI can execute commands. The vulnerable parameters include `o`, `key`, `style`, and `yrange` and `y2range` along with their JSON input. **Recommendations** For OpenTSDB version 2.3.0, consider restricting access to the "/q" URI or limiting the execution of commands through the vulnerable parameters `o`, `key`, `style`, `yrange`, and `y2range` to minimize the risk of exploitation. Avoid using these parameters with JSON input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenTSDB version 2.3.0 **Description** An issue was discovered in OpenTSDB, where there is a Cross-Site Scripting (XSS) vulnerability in the `json` parameter to the "/q" URI. This allows for potential malicious script execution. **Recommendations** For OpenTSDB version 2.3.0, as a temporary workaround, consider restricting access to the "/q" URI or sanitizing the `json` parameter to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenTSDB version 2.3.0 **Description** An issue was discovered in OpenTSDB, where there is a Cross-Site Scripting (XSS) vulnerability in the `type` parameter to the "/suggest" URI. This allows for potential malicious script execution. **Recommendations** For OpenTSDB version 2.3.0, as a temporary workaround, consider restricting access to the "/suggest" URI or sanitizing the `type` parameter to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.