CVE-2023-0871

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Aug 11, 2023
Updated: Aug 22, 2023
CWE ID 611

Summary

CVE-2023-0871: OpenMNS Horizon versions prior to 32.0.2 contain a vulnerability in the /rtc/post/ endpoint, which is susceptible to XML External Entity (XXE) injection. Hackers can exploit this vulnerability to make Horizon initiate unintended HTTP requests to both internal and external services. To mitigate this risk, users are advised to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38, or Horizon 32.0.2 or newer. The affected software is intended for use within private networks and should not be accessible from the internet. OpenMNS acknowledges the reporting of this issue by Erik Wynter and Moshe Apelbaum.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • OpenNMS Meridian
  • OpenNMS Horizon

Affected Vendors

  • Opennms