Lucene search

GoogleOSV:CVE-2023-0867

HistoryFeb 23, 2023 - 3:15 p.m.

CVE-2023-0867

2023-02-2315:15:11

Google

osv.dev

cve-2023-0867

cross-site scripting

opennms

confidential session information

upgrade

installation instructions

CVSS3

6.7

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

34.2%

JSON

Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users
should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and
Horizon installation instructions state that they are intended for installation
within an organization’s private networks and should not be directly accessible
from the Internet.

References

docs.opennms.com/meridian/2022/releasenotes/changelog.html#releasenotes-changelog-Meridian-2022.1.13

github.com/OpenNMS/opennms/pull/5765

CVSS3

6.7

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

34.2%

JSON

Related for OSV:CVE-2023-0867