Authenticated XXE Injection Via The File Editor
CVE-2023-40612

5.3MEDIUM

Key Information:

Vendor: The Opennms Group
Status: Horizon; Meridian
Vendor: CVE Published:; 23 August 2023

🔔 Create The Opennms Group Vulnerability Alert

What is CVE-2023-40612?

In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

Affected Version(s)

Horizon Windows 31.0.8 < 32.0.2

Meridian Windows 2023.0.0 < 2023.1.5

References

https://github.com/OpenNMS/opennms/pull/6288

https://docs.opennms.com/meridian/2023/releasenotes/chang...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 23, 2023
Vulnerability Reserved
Aug 17, 2023

Credit

Erik Wynter