Headline
CVE-2023-40311: NMS-15782: prevent multiple XSS mishaps by fooker · Pull Request #6365 · OpenNMS/opennms
Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization’s private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue.
All Contributors
- Have you read our Contribution Guidelines?
- Have you (electronically) signed the OpenNMS Contributor Agreement?
Contribution Checklist
- Please make an issue in the OpenNMS issue tracker if there isn’t one already.
Once there is an issue, please:- update the title of this PR to be in the format: ${JIRA-ISSUE-NUMBER}: subject of pull request
- update the Jira link at the bottom of this comment to refer to the real issue number
- prefix your commit messages with the issue number, if possible
- once you’ve created this PR, please link to it in a comment in the Jira issue
Don’t worry if this sounds like a lot, we can help you get things set up properly.
- If this code is likely to affect the UI, did you name your branch with -smoke in it to trigger smoke tests?
- If this is a new or updated feature, is there documentation for the new behavior?
- If this is new code, are there unit and/or integration tests?
- If this PR targets a foundation-* branch, does it try to avoid changing files in $OPENNMS_HOME/etc/?
What’s Next?
A PR should be assigned at least 2 reviewers. If you know that someone would be a good person to review your code, feel free to add them.
If you need help making additions or changes to the documentation related to your changes, please let us know.
In any case, if anything is unclear or you want help getting your PR ready for merge, please don’t hesitate to say something in the comments here,
or in the #opennms-development chat channel.
Once reviewer(s) accept the PR and the branch passes continuous integration, the PR is eligible for merge.
At that time, if you have commit access (are an OpenNMS Group employee or a member of the OGP) you are welcome to merge the PR when you’re ready.
Otherwise, a reviewer can merge it for you.
Thanks for taking time to contribute!
External References
- Jira (Issue Tracker): https://opennms.atlassian.net/browse/NMS-15782
Related news
Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue.