CVE-2023-30093

Name of the Vulnerable Software and Affected Versions Open Networking Foundation ONOS versions 1.9.0 through 2.7.0

Description A cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter or authorizationURL parameter of the API documentation dashboard. An arbitrary file upload vulnerability also allows attackers to execute arbitrary code via uploading a crafted YAML file.

Recommendations For Open Networking Foundation ONOS versions 1.9.0 through 2.7.0, consider disabling access to the API documentation dashboard until a patch is available. Restrict the use of the url parameter and authorizationURL parameter to minimize the risk of exploitation. Avoid uploading YAML files from untrusted sources to prevent arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.