CVE-2023-40312

Name of the Vulnerable Software and Affected Versions OpenMNS Horizon versions 31.0.8 through 32.0.2 Meridian versions prior to 2023.1.6 Meridian versions prior to 2022.1.19 Meridian versions prior to 2021.1.30 Meridian versions prior to 2020.1.38

Description Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon on multiple platforms, allowing an attacker to craft a malicious XSS payload. The solution is to upgrade to a newer version. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue.

Recommendations To resolve the issue, upgrade to Meridian 2023.1.6 or newer. To resolve the issue, upgrade to Meridian 2022.1.19 or newer. To resolve the issue, upgrade to Meridian 2021.1.30 or newer. To resolve the issue, upgrade to Meridian 2020.1.38 or newer. To resolve the issue, upgrade to Horizon 32.0.2 or newer.