PT-2023-19507 · Open Networking Foundation · Onos

Published

2023-03-14

Updated

2023-03-22

CVE-2023-24279

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Open Networking Foundation ONOS versions v1.9.0 through v2.7.0

Description A cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter of the API documentation dashboard. This can occur under the info > contact > URL section.

Recommendations For Open Networking Foundation ONOS versions v1.9.0 through v2.7.0, consider disabling access to the API documentation dashboard until a patch is available. Restrict the use of the url parameter in the API documentation dashboard to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-24279

GHSA-3XMP-JWRR-8F4R

Affected Products

Onos

PT-2023-19507 · Open Networking Foundation · Onos

CVE-2023-24279

Weakness Enumeration

Related Identifiers

Affected Products

References · 10