Moshe Apelbaum

**Name of the Vulnerable Software and Affected Versions** OpenNMS Meridian versions prior to 2023.1.9 OpenNMS Horizon versions prior to 32.0.5 **Description** Cross-site scripting in bootstrap.jsp allows an attacker access to confidential session information. The installation instructions for Meridian and Horizon state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Moshe Apelbaum for reporting this issue. **Recommendations** For OpenNMS Meridian versions prior to 2023.1.9, upgrade to Meridian 2023.1.9 or newer. For OpenNMS Horizon versions prior to 32.0.5, upgrade to Horizon 32.0.5 or newer.

**Name of the Vulnerable Software and Affected Versions** OpenNMS Horizon versions 31.0.8 through 32.0.2 **Description** The issue is related to an XML external entity (XXE) injection vulnerability in the `/rtc/post/` endpoint, which can be used to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to a newer version. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. **Recommendations** To resolve the issue, upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. As a temporary workaround, consider restricting access to the `/rtc/post/` endpoint until a patch is available.