Fábio Tomé

Name of the Vulnerable Software and Affected Versions: OpenMNS Horizon versions 33.0.8 through 33.1.5 OpenMNS Meridian versions prior to 2024.2.6 Description: Multiple stored XSS issues were found in OpenMNS Horizon due to unsanitized parameters on different nodes, allowing an attacker to store and inject HTML and/or Javascript on the page. The affected software is intended for installation within an organization's private networks and should not be directly accessible from the Internet. Recommendations: For OpenMNS Horizon versions 33.0.8 through 33.1.5, upgrade to Horizon 33.1.6 or newer. For OpenMNS Meridian versions prior to 2024.2.6, upgrade to Meridian 2024.2.6 or newer. As a temporary workaround, consider restricting access to the affected nodes to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: OpenNMS Meridian versions prior to 2024.2.6 OpenNMS Horizon versions prior to 33.16 Description: The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. Users are advised to follow installation instructions carefully, as Meridian and Horizon are intended for installation within an organization's private networks and should not be directly accessible from the Internet. Recommendations: For OpenNMS Meridian versions prior to 2024.2.6, upgrade to Meridian 2024.2.6 or newer. For OpenNMS Horizon versions prior to 33.16, upgrade to Horizon 33.16 or newer.