CVE-2008-4320

Name of the Vulnerable Software and Affected Versions: OpenNMS versions prior to 1.5.94

Description: The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the j username parameter to "j acegi security check", the username parameter to "notification/list.jsp", and the filter parameter to "event/list".

Recommendations: For versions prior to 1.5.94, update to version 1.5.94 or later to resolve the issue. As a temporary workaround, consider restricting access to the "j acegi security check", "notification/list.jsp", and "event/list" endpoints until the update is applied. Avoid using the j username, username, and filter parameters in the affected endpoints until the issue is resolved.