CVE-2023-30093

Vulnerability

Overview Open Networking Foundation ONOS (Open Network Operating System) versions 1.9.0 through 2.7.0 contain a cross-site scripting (XSS) vulnerability in the API documentation dashboard. The url parameter fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary web scripts or HTML [1].

Exploitation

An attacker with access to the ONOS API dashboard can craft a malicious payload and inject it into the url parameter. The XSS triggers when a victim visits the affected page, executing the attacker's script in the context of the ONOS web interface. No authentication is required for this injection vector, as the API documentation endpoint is typically exposed without access controls [1].

Impact

Successful exploitation enables arbitrary JavaScript execution within the victim's browser session on the same domain. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker may also leverage the XSS to interact with ONOS northbound REST APIs, potentially altering network configuration or exfiltrating sensitive data [1][2].

Mitigation

As of the publication date (2023-05-04), no patch has been mentioned for this specific CVE. Users are advised to restrict network access to the API documentation dashboard, apply input validation, or upgrade to a patched version if released later. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].