CVE-2023-0846

Name of the Vulnerable Software and Affected Versions OpenNMS Meridian versions prior to 2023.1.0 OpenNMS Horizon versions prior to 31.0.4

Description The issue is related to unauthenticated, stored cross-site scripting in the display of alarm reduction keys, which could allow an attacker to access confidential session information. This is due to inadequate protection of the web page structure. The exploitation of this issue may enable a remote attacker to gain unauthorized access to protected session information.

Recommendations For OpenNMS Meridian versions prior to 2023.1.0, upgrade to Meridian 2023.1.0 or newer. For OpenNMS Horizon versions prior to 31.0.4, upgrade to Horizon 31.0.4. As a temporary workaround, consider restricting access to the alarm reduction keys display to minimize the risk of exploitation.