Name of the Vulnerable Software and Affected Versions:

OpenMNS Horizon versions 31.0.8 through 32.0.2

Meridian versions prior to 2023.1.5

Description:

The issue allows any user with the `ROLE FILESYSTEM EDITOR` to easily escalate their privileges to `ROLE ADMIN` or any other role. The affected software is intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

Recommendations:

To resolve the issue, upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer.

As a temporary workaround, consider restricting the use of the `ROLE FILESYSTEM EDITOR` role until a patch is available.

Restrict access to the affected software to minimize the risk of exploitation, following the installation instructions that state the software should not be directly accessible from the Internet.