CVE-2023-40314

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-40314

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40314.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-40314

Aliases

GHSA-c6xw-hg9q-3c9f

Published

2023-11-16T22:15:27.947Z

Modified

2026-04-12T05:13:28.951173Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer

Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

OpenNMS thanks

Moshe Apelbaum

for reporting this issue.

References

https://github.com/OpenNMS/opennms/pull/6791

Affected packages

Git / github.com/opennms/opennms

Affected ranges

Type

GIT

Repo

https://github.com/opennms/opennms

Events

Introduced

Fixed

9be85488f406d781b71f963d6d4196392f81f73c

Introduced

Fixed

4914949fc5b37a414a77ac9e35b94a4103b450ed

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "32.0.5"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "2023.1.9"
        }
    ]
}

Affected versions

meridian-foundation-2023.*

meridian-foundation-2023.1.0-1

meridian-foundation-2023.1.1-1

meridian-foundation-2023.1.2-1

meridian-foundation-2023.1.3-1

meridian-foundation-2023.1.4-1

meridian-foundation-2023.1.5-1

meridian-foundation-2023.1.6-1

meridian-foundation-2023.1.7-1

meridian-foundation-2023.1.8-1

opennms-1.*

opennms-1.11.1-1

opennms-1.11.3-1

opennms-1.13.2-1

opennms-1.9.0-1

opennms-1.9.4-1

opennms-1.9.93-1

opennms-20.*

opennms-20.0.0-1

opennms-31.*

opennms-31.0.0-1

opennms-31.0.1-1

opennms-32.*

opennms-32.0.0-1

opennms-32.0.1-1

opennms-32.0.2-1

opennms-32.0.3-1

space-integration-12.*

space-integration-12.2-code-freeze

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40314.json"

vanir_signatures_modified

"2026-04-12T05:13:28Z"

vanir_signatures

[
    {
        "deprecated": false,
        "target": {
            "file": "opennms-full-assembly/src/test/java/org/opennms/assemblies/karaf/OnmsKarafTestCase.java"
        },
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "93881226476338251812829900638950897907",
                "37870743246038020135494441602478304847",
                "282341087660085847342158040180860907803",
                "262813314253117893114168772660890074110"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/opennms/opennms/commit/9be85488f406d781b71f963d6d4196392f81f73c",
        "id": "CVE-2023-40314-231dc868"
    },
    {
        "deprecated": false,
        "target": {
            "file": "opennms-full-assembly/src/test/java/org/opennms/assemblies/karaf/OnmsKarafTestCase.java",
            "function": "getFrameworkUrl"
        },
        "signature_type": "Function",
        "digest": {
            "function_hash": "10059048629960032653536562306933440815",
            "length": 185.0
        },
        "signature_version": "v1",
        "source": "https://github.com/opennms/opennms/commit/9be85488f406d781b71f963d6d4196392f81f73c",
        "id": "CVE-2023-40314-9d477a05"
    }
]