Moderate severityNVD Advisory· Published Feb 22, 2023· Updated Aug 2, 2024

Unauthenticated, stored XSS in display of alarm reduction-key

CVE-2023-0846

Description

Unauthenticated, stored cross-site scripting in the display of alarm reduction keys in multiple versions of OpenNMS Horizon and Meridian could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opennms:opennmsMaven	< 31.0.3	31.0.3

Affected products

ghsa-coords
pkg:maven/org.opennms/opennms
Range: < 31.0.3
The OpenNMS Group/Horizonv5
Range: 26.1.0
The OpenNMS Group/Meridianv5
Range: 2020.1.0

Patches

Vulnerability mechanics

Root cause

"Missing HTML output encoding when rendering the alarm reduction key in a JSP page allows stored cross-site scripting."

Attack vector

An unauthenticated attacker can inject arbitrary JavaScript into the alarm reduction-key field, which is stored in the database. When a user views the alarm detail page, the unsanitized reduction key is rendered directly into the HTML, causing the attacker's script to execute in the victim's browser. This stored cross-site scripting (XSS) attack can steal session cookies or other confidential session information. The advisory notes that OpenNMS installations are intended for private networks, but an attacker who gains network access can exploit this without authentication.

Affected code

The vulnerability exists in `opennms-webapp/src/main/webapp/WEB-INF/jsp/alarm/detail.jsp` at the line displaying the alarm reduction key. The original code used `

What the fix does

The patch wraps the reduction key output with `WebSecurityUtils.sanitizeString()`, which escapes HTML special characters before rendering. This prevents injected script tags or event handlers from being interpreted as executable code by the browser. The change is minimal — a single line in `detail.jsp` — and directly addresses the stored XSS by ensuring user-controlled data is safely encoded for HTML context.

Preconditions

networkAttacker must have network access to the OpenNMS web application (though it is intended for private networks)
authNo authentication required to trigger the stored XSS
inputAttacker must be able to create or modify an alarm with a malicious reduction key

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-79jr-8fhm-8wv3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-0846ghsaADVISORY
docs.opennms.com/meridian/2022/releasenotes/changelog.htmlghsaWEB
github.com/OpenNMS/opennms/pull/5506/filesghsaWEB
issues.opennms.org/browse/NMS-14877ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000