How severe is CVE-2023-0871?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.1 out of 10.

What type of vulnerability is CVE-2023-0871?

This is classified as CWE-611, which is a common weakness in software security.

CVE-2023-0871 - MEDIUM Severity | CVSS 6.1

Vulnerability Description

XXE injection in /rtc/post/ endpoint in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms is vulnerable to XML external entity (XXE) injection, which can be used for instance to force Horizon to make arbitrary HTTP requests to internal and external services. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Erik Wynter and Moshe Apelbaum for reporting this issue.

Related Vulnerabilities

CVE-2019-12711

MEDIUM

CVSS:6.1(Medium)

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote atta...

CWE-6112019

CVE-2022-0198

MEDIUM

CVSS:6.1(Medium)

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

CWE-6112022

CVE-2019-0284

MEDIUM

CVSS:6.0(Medium)

SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a r...

CWE-6112019

CVE-2023-20030

MEDIUM

CVSS:6.0(Medium)

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access sensitive information, conduct a server-side reque...

CWE-6112023

CVE-2016-6805

MEDIUM

CVSS:5.9(Medium)

Apache Ignite before 1.9 allows man-in-the-middle attackers to read arbitrary files via XXE in modified update-notifier documents.

CWE-6112016

CVE-2017-6344

MEDIUM

CVSS:5.9(Medium)

XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allows remote attackers to read arbitrary files via a crafted XML document.

CWE-6112017