Moderate severityNVD Advisory· Published Feb 23, 2023· Updated Aug 2, 2024

Multiple stored and reflected Cross-site Scripting in webapp

CVE-2023-0867

Description

Multiple stored and reflected cross-site scripting vulnerabilities in webapp jsp pages in multiple versions of OpenNMS Meridian and Horizon could allow an attacker access to confidential session information. Users should upgrade to Meridian 2023.1.0 or newer, or Horizon 31.0.4. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opennms:opennmsMaven	< 31.0.4	31.0.4

Affected products

ghsa-coords
pkg:maven/org.opennms/opennms
Range: < 31.0.4
The OpenNMS Group/Horizonv5
Range: 26.0.0
The OpenNMS Group/Meridianv5
Range: 2020.1.0

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-mjv2-6jv4-vrg7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-0867ghsaADVISORY
docs.opennms.com/meridian/2022/releasenotes/changelog.htmlghsaWEB
github.com/OpenNMS/opennms/commit/9a366e6822479579e642b58058568af37658babaghsaWEB
github.com/OpenNMS/opennms/pull/5765ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000