Vulnerability Details CVE-2023-0870
A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. This can potentially allow an attacker to gain access to confidential information and compromise integrity. The solution is to upgrade to Meridian 2023.1.1 or Horizon 31.0.6 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.7%
CVSS Severity
CVSS v3 Score 8.1
References
- https://docs.opennms.com/meridian/2023/releasenotes/changelog.html#releasenotes-changelog-Meridian-2023.1.1
- https://github.com/OpenNMS/opennms/pull/5835/files
- https://docs.opennms.com/meridian/2023/releasenotes/changelog.html#releasenotes-changelog-Meridian-2023.1.1
- https://github.com/OpenNMS/opennms/pull/5835/files
Products affected by CVE-2023-0870
-
cpe:2.3:a:opennms:horizon:1.0
-
cpe:2.3:a:opennms:horizon:16.0.0
-
cpe:2.3:a:opennms:horizon:17.0.0
-
cpe:2.3:a:opennms:horizon:17.1.0
-
cpe:2.3:a:opennms:horizon:17.1.1
-
cpe:2.3:a:opennms:horizon:18.0.0
-
cpe:2.3:a:opennms:horizon:18.0.1
-
cpe:2.3:a:opennms:horizon:18.0.2
-
cpe:2.3:a:opennms:horizon:18.0.3
-
cpe:2.3:a:opennms:horizon:18.0.4
-
cpe:2.3:a:opennms:horizon:19.0.0
-
cpe:2.3:a:opennms:horizon:19.0.1
-
cpe:2.3:a:opennms:horizon:19.1.0
-
cpe:2.3:a:opennms:horizon:20.0.0
-
cpe:2.3:a:opennms:horizon:20.0.1
-
cpe:2.3:a:opennms:horizon:20.0.2
-
cpe:2.3:a:opennms:horizon:20.1.0
-
cpe:2.3:a:opennms:horizon:21.0.0
-
cpe:2.3:a:opennms:horizon:21.0.1
-
cpe:2.3:a:opennms:horizon:21.0.2
-
cpe:2.3:a:opennms:horizon:21.0.3
-
cpe:2.3:a:opennms:horizon:21.0.4
-
cpe:2.3:a:opennms:horizon:21.0.5
-
cpe:2.3:a:opennms:horizon:21.1.0
-
cpe:2.3:a:opennms:horizon:22.0.0
-
cpe:2.3:a:opennms:horizon:22.0.1
-
cpe:2.3:a:opennms:horizon:22.0.2
-
cpe:2.3:a:opennms:horizon:22.0.3
-
cpe:2.3:a:opennms:horizon:22.0.4
-
cpe:2.3:a:opennms:horizon:23.0.0
-
cpe:2.3:a:opennms:horizon:23.0.1
-
cpe:2.3:a:opennms:horizon:23.0.2
-
cpe:2.3:a:opennms:horizon:23.0.3
-
cpe:2.3:a:opennms:horizon:23.0.4
-
cpe:2.3:a:opennms:horizon:24.0.0
-
cpe:2.3:a:opennms:horizon:24.1.0
-
cpe:2.3:a:opennms:horizon:24.1.1
-
cpe:2.3:a:opennms:horizon:24.1.2
-
cpe:2.3:a:opennms:horizon:24.1.3
-
cpe:2.3:a:opennms:horizon:25.0.0
-
cpe:2.3:a:opennms:horizon:25.1.0
-
cpe:2.3:a:opennms:horizon:25.1.1
-
cpe:2.3:a:opennms:horizon:25.1.2
-
cpe:2.3:a:opennms:horizon:25.2.0
-
cpe:2.3:a:opennms:horizon:25.2.1
-
cpe:2.3:a:opennms:horizon:26.0.0
-
cpe:2.3:a:opennms:horizon:26.0.1
-
cpe:2.3:a:opennms:horizon:26.1.0
-
cpe:2.3:a:opennms:horizon:26.1.1
-
cpe:2.3:a:opennms:horizon:26.1.2
-
cpe:2.3:a:opennms:horizon:26.1.3
-
cpe:2.3:a:opennms:horizon:26.2.0
-
cpe:2.3:a:opennms:horizon:26.2.1
-
cpe:2.3:a:opennms:horizon:26.2.2
-
cpe:2.3:a:opennms:horizon:27.0.0
-
cpe:2.3:a:opennms:horizon:27.0.1
-
cpe:2.3:a:opennms:horizon:27.0.2
-
cpe:2.3:a:opennms:horizon:27.0.3
-
cpe:2.3:a:opennms:horizon:27.0.4
-
cpe:2.3:a:opennms:horizon:27.0.5
-
cpe:2.3:a:opennms:horizon:27.1.0
-
cpe:2.3:a:opennms:horizon:27.1.1
-
cpe:2.3:a:opennms:horizon:27.2.0
-
cpe:2.3:a:opennms:horizon:28.0.0
-
cpe:2.3:a:opennms:horizon:28.0.1
-
cpe:2.3:a:opennms:horizon:28.0.2
-
cpe:2.3:a:opennms:horizon:28.1.0
-
cpe:2.3:a:opennms:horizon:28.1.1
-
cpe:2.3:a:opennms:horizon:29.0.0
-
cpe:2.3:a:opennms:horizon:29.0.1
-
cpe:2.3:a:opennms:horizon:29.0.10
-
cpe:2.3:a:opennms:horizon:29.0.11
-
cpe:2.3:a:opennms:horizon:29.0.2
-
cpe:2.3:a:opennms:horizon:29.0.3
-
cpe:2.3:a:opennms:horizon:29.0.4
-
cpe:2.3:a:opennms:horizon:29.0.5
-
cpe:2.3:a:opennms:horizon:29.0.6
-
cpe:2.3:a:opennms:horizon:29.0.7
-
cpe:2.3:a:opennms:horizon:29.0.8
-
cpe:2.3:a:opennms:horizon:29.0.9
-
cpe:2.3:a:opennms:horizon:30.0.0
-
cpe:2.3:a:opennms:horizon:30.0.1
-
cpe:2.3:a:opennms:horizon:30.0.2
-
cpe:2.3:a:opennms:horizon:30.0.3
-
cpe:2.3:a:opennms:horizon:30.0.4
-
cpe:2.3:a:opennms:horizon:31.0.0
-
cpe:2.3:a:opennms:horizon:31.0.1
-
cpe:2.3:a:opennms:horizon:31.0.2
-
cpe:2.3:a:opennms:horizon:31.0.3
-
cpe:2.3:a:opennms:horizon:31.0.4
-
cpe:2.3:a:opennms:horizon:31.0.5
-
cpe:2.3:a:opennms:meridian:2020.1.0
-
cpe:2.3:a:opennms:meridian:2020.1.1
-
cpe:2.3:a:opennms:meridian:2020.1.1-1
-
cpe:2.3:a:opennms:meridian:2020.1.10
-
cpe:2.3:a:opennms:meridian:2020.1.11
-
cpe:2.3:a:opennms:meridian:2020.1.12
-
cpe:2.3:a:opennms:meridian:2020.1.13
-
cpe:2.3:a:opennms:meridian:2020.1.14
-
cpe:2.3:a:opennms:meridian:2020.1.15
-
cpe:2.3:a:opennms:meridian:2020.1.16
-
cpe:2.3:a:opennms:meridian:2020.1.17
-
cpe:2.3:a:opennms:meridian:2020.1.18
-
cpe:2.3:a:opennms:meridian:2020.1.19
-
cpe:2.3:a:opennms:meridian:2020.1.2
-
cpe:2.3:a:opennms:meridian:2020.1.2-1
-
cpe:2.3:a:opennms:meridian:2020.1.20
-
cpe:2.3:a:opennms:meridian:2020.1.21
-
cpe:2.3:a:opennms:meridian:2020.1.22
-
cpe:2.3:a:opennms:meridian:2020.1.23
-
cpe:2.3:a:opennms:meridian:2020.1.24
-
cpe:2.3:a:opennms:meridian:2020.1.25
-
cpe:2.3:a:opennms:meridian:2020.1.26
-
cpe:2.3:a:opennms:meridian:2020.1.27
-
cpe:2.3:a:opennms:meridian:2020.1.28
-
cpe:2.3:a:opennms:meridian:2020.1.29
-
cpe:2.3:a:opennms:meridian:2020.1.3
-
cpe:2.3:a:opennms:meridian:2020.1.3-1
-
cpe:2.3:a:opennms:meridian:2020.1.30
-
cpe:2.3:a:opennms:meridian:2020.1.31
-
cpe:2.3:a:opennms:meridian:2020.1.32
-
cpe:2.3:a:opennms:meridian:2020.1.4
-
cpe:2.3:a:opennms:meridian:2020.1.4-1
-
cpe:2.3:a:opennms:meridian:2020.1.5
-
cpe:2.3:a:opennms:meridian:2020.1.5-1
-
cpe:2.3:a:opennms:meridian:2020.1.6
-
cpe:2.3:a:opennms:meridian:2020.1.7
-
cpe:2.3:a:opennms:meridian:2020.1.7-1
-
cpe:2.3:a:opennms:meridian:2020.1.8
-
cpe:2.3:a:opennms:meridian:2020.1.8-1
-
cpe:2.3:a:opennms:meridian:2020.1.9
-
cpe:2.3:a:opennms:meridian:2020.1.9-1
-
cpe:2.3:a:opennms:meridian:2021.1.0
-
cpe:2.3:a:opennms:meridian:2021.1.0-1
-
cpe:2.3:a:opennms:meridian:2021.1.1
-
cpe:2.3:a:opennms:meridian:2021.1.1-1
-
cpe:2.3:a:opennms:meridian:2021.1.10
-
cpe:2.3:a:opennms:meridian:2021.1.11
-
cpe:2.3:a:opennms:meridian:2021.1.12
-
cpe:2.3:a:opennms:meridian:2021.1.13
-
cpe:2.3:a:opennms:meridian:2021.1.14
-
cpe:2.3:a:opennms:meridian:2021.1.15
-
cpe:2.3:a:opennms:meridian:2021.1.16
-
cpe:2.3:a:opennms:meridian:2021.1.17
-
cpe:2.3:a:opennms:meridian:2021.1.18
-
cpe:2.3:a:opennms:meridian:2021.1.19
-
cpe:2.3:a:opennms:meridian:2021.1.2
-
cpe:2.3:a:opennms:meridian:2021.1.20
-
cpe:2.3:a:opennms:meridian:2021.1.21
-
cpe:2.3:a:opennms:meridian:2021.1.22
-
cpe:2.3:a:opennms:meridian:2021.1.23
-
cpe:2.3:a:opennms:meridian:2021.1.24
-
cpe:2.3:a:opennms:meridian:2021.1.3
-
cpe:2.3:a:opennms:meridian:2021.1.4
-
cpe:2.3:a:opennms:meridian:2021.1.5
-
cpe:2.3:a:opennms:meridian:2021.1.6
-
cpe:2.3:a:opennms:meridian:2021.1.7
-
cpe:2.3:a:opennms:meridian:2021.1.8
-
cpe:2.3:a:opennms:meridian:2021.1.9
-
cpe:2.3:a:opennms:meridian:2022.1.0
-
cpe:2.3:a:opennms:meridian:2022.1.1
-
cpe:2.3:a:opennms:meridian:2022.1.10
-
cpe:2.3:a:opennms:meridian:2022.1.11
-
cpe:2.3:a:opennms:meridian:2022.1.12
-
cpe:2.3:a:opennms:meridian:2022.1.13
-
cpe:2.3:a:opennms:meridian:2022.1.2
-
cpe:2.3:a:opennms:meridian:2022.1.3
-
cpe:2.3:a:opennms:meridian:2022.1.4
-
cpe:2.3:a:opennms:meridian:2022.1.5
-
cpe:2.3:a:opennms:meridian:2022.1.6
-
cpe:2.3:a:opennms:meridian:2022.1.7
-
cpe:2.3:a:opennms:meridian:2022.1.8
-
cpe:2.3:a:opennms:meridian:2022.1.9
-
cpe:2.3:a:opennms:meridian:2023.1.0