PT-2023-8929 · Opennms · Opennms Meridian+1
Stefan Schiller
·
Published
2023-02-22
·
Updated
2023-08-16
·
CVE-2023-0846
CVSS v2.0
7.1
High
| Vector | AV:A/AC:L/Au:S/C:C/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
OpenNMS Meridian versions prior to 2023.1.0
OpenNMS Horizon versions prior to 31.0.4
Description
The issue is related to unauthenticated, stored cross-site scripting in the display of alarm reduction keys, which could allow an attacker to access confidential session information. This is due to inadequate protection of the web page structure. The exploitation of this issue may enable a remote attacker to gain unauthorized access to protected session information.
Recommendations
For OpenNMS Meridian versions prior to 2023.1.0, upgrade to Meridian 2023.1.0 or newer.
For OpenNMS Horizon versions prior to 31.0.4, upgrade to Horizon 31.0.4.
As a temporary workaround, consider restricting access to the alarm reduction keys display to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opennms Horizon
Opennms Meridian