CVE-2023-0871 : OPENMNS HORIZON/MERIDIAN XML EXTERNAL ENTITY REFERENCE - Cloud WAF

Free Trial

CVE-2023-0871 : OPENMNS HORIZON/MERIDIAN XML EXTERNAL ENTITY REFERENCE

Description

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization’s private networks and should not be directly accessible from the Internet.

References

https://github.com/OpenNMS/opennms/pull/6355

https://docs.opennms.com/horizon/32/releasenotes/changelog.html

For More Information

Contact us to get started

CVE-2024-36053 : LINUXMINT MINTUPLOAD UP TO 4.2.0 SERVICE OS COMMAND INJECTION

CVE-2024-36053 : LINUXMINT MINTUPLOAD UP TO 4.2.0 SERVICE OS COMMAND INJECTION

Description In the mintupload package through 4.2.0 for Linux Mint, service-name mishandling leads to command injection via shell metacharacters in

Learn more

CVE-2024-36080 : WESTERMO EDW-100 DEVICES UP TO 2024-05-03 HARD-CODED PASSWORD

CVE-2024-36080 : WESTERMO EDW-100 DEVICES UP TO 2024-05-03 HARD-CODED PASSWORD

Description Westermo EDW-100 devices through 2024-05-03 have a hidden root user account with a hardcoded password that cannot be changed.

Learn more

CVE-2024-3319 : SAILPOINT IDENTITY SECURITY CLOUD TRANSFORM PREVIEW/IDENTITYPROFILE PREVIEW CODE INJECTION

CVE-2024-3319 : SAILPOINT IDENTITY SECURITY CLOUD TRANSFORM PREVIEW/IDENTITYPROFILE PREVIEW CODE INJECTION

Description An issue was identified in the Identity Security Cloud (ISC) Transform preview and IdentityProfile preview API endpoints that allowed

Learn more