CVE-2023-0868: XSS
First published: Thu Feb 23 2023(Updated: )
Reflected cross-site scripting in graph results in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to steal session cookies. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
Credit: security@opennms.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenNMS Horizon | <31.0.4 | |
| OpenNMS Meridian | <2023.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-0868?
CVE-2023-0868 is a vulnerability that refers to a reflected cross-site scripting (XSS) issue in the graph results of multiple versions of OpenNMS Meridian and Horizon.
What can an attacker do with CVE-2023-0868?
An attacker can exploit CVE-2023-0868 to gain unauthorized access to steal session cookies.
Which versions of OpenNMS Meridian and Horizon are affected by CVE-2023-0868?
Multiple versions of OpenNMS Meridian and Horizon are affected, specifically versions up to 2023.1.0 for Meridian and up to 31.0.4 for Horizon.
How can I fix CVE-2023-0868?
To fix CVE-2023-0868, users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4 or newer.
Where can I find more information about CVE-2023-0868?
You can find more information about CVE-2023-0868 in the release notes and GitHub pull request referenced in the vulnerability description.
- collector/nvd-index
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/opennms
- canonical/opennms horizon
- canonical/opennms meridian