CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS
Percentile
18.4%
XXE injection in /rtc/post/ endpoint
in OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platformsΒ is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services.Β The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organizationβs private networks and should not be directly accessible from the Internet.
Vendor | Product | Version | CPE |
---|---|---|---|
org.opennms.core | org.opennms.core.xml | * | cpe:2.3:a:org.opennms.core:org.opennms.core.xml:*:*:*:*:*:*:*:* |