CVE-2023-40612

MEDIUM

OpenMNS Horizon <32.0.2 - XXE Injection

Title source: llm

Description

In OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2, the file editor which is accessible to any user with ROLE_FILESYSTEM_EDITOR privileges is vulnerable to XXE injection attacks. The solution is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter for reporting this issue.

References (2)

[Release Notes] https://docs.opennms.com/meridian/2023/releasenotes/changelog.html#releasenotes-changelog-Meridian-2023.1.5

[Patch] https://github.com/OpenNMS/opennms/pull/6288

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 12.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-91

Status published

Products (2)

opennms/horizon 31.0.8 - 32.0.2

opennms/meridian 2023.0.0 - 2023.1.5

Published Aug 23, 2023

Tracked Since Feb 18, 2026