CVE-2023-24279

Vulnerability

Overview

A cross-site scripting (XSS) vulnerability exists in the Open Networking Foundation ONOS (Open Network Operating System) SDN controller, affecting versions from v1.9.0 to v2.7.0 [1]. The flaw resides in the API documentation dashboard, where a crafted payload injected into the url parameter can be executed as arbitrary web scripts or HTML, leading to potential session hijacking, data theft, or defacement within a user's browser [1].

Exploitation

Conditions

Exploitation requires an attacker to craft a malicious link or HTTP request that includes the XSS payload in the url parameter of the API documentation interface [1]. The vulnerability is triggered when a user views the malicious input, meaning an attacker must convince the target to interact with the crafted content (e.g., via phishing or a cross-site request) [1]. No authentication is explicitly required to access the vulnerable dashboard, making it accessible to any network user who can reach the ONOS controller's web UI [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript or HTML in the context of the victim's browser session, potentially capturing credentials, modifying page content, or performing actions on behalf of the authenticated user [1]. Since ONOS is a core SDN controller, a compromised session could lead to unauthorized network configuration changes, though the direct impact on the network itself depends on the privileges of the victim's session.

Mitigation

The vulnerability is present in all ONOS versions from 1.9.0 through 2.7.0 [1]. At the time of publication, no patch has been announced, and users should monitor the ONOS project (available on GitHub [2]) for a security release. Until a fix is available, administrators should restrict network access to the ONOS web interface and sanitize all user-controlled parameters in the API documentation dashboard.