Vulnerability DatabaseCVE-2023-40311
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-40311
August 14, 2023
Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue.
Related Resources (6)
https://nvd.nist.gov/vuln/detail/CVE-2023-40311
https://github.com/OpenNMS/opennms/pull/6366
https://github.com/OpenNMS/opennms
https://github.com/OpenNMS/opennms/pull/6365
https://github.com/OpenNMS/opennms/commit/c67d1cae2fa1fb806c9d422f6e6fbf4ebfde6b60
https://github.com/OpenNMS/opennms/commit/6ccc5de1a23d440560e0f09dfd94f8392c21e70d
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.8
Attack Vector
ADJACENT
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.7
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
EPSS
Base Score:
0.13