CVE-2023-0871

Name of the Vulnerable Software and Affected Versions OpenNMS Horizon versions 31.0.8 through 32.0.2

Description The issue is related to an XML external entity (XXE) injection vulnerability in the /rtc/post/ endpoint, which can be used to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to a newer version. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

Recommendations To resolve the issue, upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. As a temporary workaround, consider restricting access to the /rtc/post/ endpoint until a patch is available.