Headline
CVE-2023-0867: NMS-14854: fix XSS vulnerability in status/index.jsp by jeffgdotorg · Pull Request #5765 · OpenNMS/opennms
Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization’s private networks and should not be directly accessible from the Internet.
All Contributors
- Have you read our Contribution Guidelines?
- Have you (electronically) signed the OpenNMS Contributor Agreement?
Contribution Checklist
- Please make an issue in the OpenNMS issue tracker if there isn’t one already.
Once there is an issue, please:- update the title of this PR to be in the format: ${JIRA-ISSUE-NUMBER}: subject of pull request
- update the JIRA link at the bottom of this comment to refer to the real issue number
- prefix your commit messages with the issue number, if possible
- once you’ve created this PR, please link to it in a comment in the JIRA issue
Don’t worry if this sounds like a lot, we can help you get things set up properly.
- If this code is likely to affect the UI, did you name your branch with -smoke in it to trigger smoke tests?
- If this is a new or updated feature, is there documentation for the new behavior?
- If this is new code, are there unit and/or integration tests?
- If this PR targets a foundation-* branch, does it try to avoid changing files in $OPENNMS_HOME/etc/?
What’s Next?
A PR should be assigned at least 2 reviewers. If you know that someone would be a good person to review your code, feel free to add them.
If you need help making additions or changes to the documentation related to your changes, please let us know.
In any case, if anything is unclear or you want help getting your PR ready for merge, please don’t hesitate to say something in the comments here,
or in the #opennms-development chat channel.
Once reviewer(s) accept the PR and the branch passes continuous integration, the PR is eligible for merge.
At that time, if you have commit access (are an OpenNMS Group employee or a member of the OGP) you are welcome to merge the PR when you’re ready.
Otherwise, a reviewer can merge it for you.
Thanks for taking time to contribute!
External References
- JIRA (Issue Tracker): http://issues.opennms.org/browse/NMS-14854