Fooker

**Name of the Vulnerable Software and Affected Versions** OpenMNS Horizon versions 31.0.8 through 32.0.2 Meridian versions prior to 2023.1.6 Meridian versions prior to 2022.1.19 Meridian versions prior to 2021.1.30 Meridian versions prior to 2020.1.38 **Description** Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon on multiple platforms, allowing an attacker to craft a malicious XSS payload. The solution is to upgrade to a newer version. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue. **Recommendations** To resolve the issue, upgrade to Meridian 2023.1.6 or newer. To resolve the issue, upgrade to Meridian 2022.1.19 or newer. To resolve the issue, upgrade to Meridian 2021.1.30 or newer. To resolve the issue, upgrade to Meridian 2020.1.38 or newer. To resolve the issue, upgrade to Horizon 32.0.2 or newer.