CVE-2023-0869 : Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian

Cross-site scripting in outage/list.htm in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

Published 2023-02-23 15:15:11

Updated 2023-03-03 16:24:39

Source The OpenNMS Group

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)Input validation

Products affected by CVE-2023-0869

Opennms » Horizon
Versions before (<) 31.0.4
cpe:2.3:a:opennms:horizon:*:*:*:*:*:*:*:*
Matching versions
Opennms » Meridian
Versions before (<) 2023.1.0
cpe:2.3:a:opennms:meridian:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-0869

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 34 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-0869

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
5.8	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N	1.5	4.2	The OpenNMS Group
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: Low Availability: None

CWE ids for CVE-2023-0869

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: security@opennms.com (Secondary)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- security@opennms.com (Secondary)

References for CVE-2023-0869

https://docs.opennms.com/meridian/2023/releasenotes/changelog.html#releasenotes-changelog-Meridian-2023.1.0

Changelog
Release Notes
https://github.com/OpenNMS/opennms/pull/5734

NMS-15294: Escaping parameter names in generated query strings by christianpape · Pull Request #5734 · OpenNMS/opennms · GitHub
Patch

Jump to

Vulnerability Details : CVE-2023-0869

Products affected by CVE-2023-0869

Exploit prediction scoring system (EPSS) score for CVE-2023-0869

CVSS scores for CVE-2023-0869

CWE ids for CVE-2023-0869

References for CVE-2023-0869