CVE-2023-25827: 
Java vulnerability analysis and mitigation

OpenTSDB, a distributed time series database working over Apache HBase, contains a reflected cross-site scripting (XSS) vulnerability identified as CVE-2023-25827. The vulnerability was discovered in May 2023 and affects OpenTSDB versions 1.0.0 up to and including 2.4.1. The issue stems from insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint (Synopsys Blog).

The vulnerability occurs due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint. Malicious URLs can be crafted and supplied to a victim, causing request errors for the legacy HTTP query API (the '/q' endpoint) and the logging '/logs' endpoint. Arbitrary JavaScript can be injected into the 'start', 'end', 'm', and 'key' parameters of '/q', and the 'level' parameter of '/logs'. The vulnerability has a CVSS v3.1 base score of 8.2 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (Synopsys Blog).

When exploited, this vulnerability can lead to the execution of arbitrary JavaScript within the browser of a targeted user. This allows an attacker to steal sensitive information retained by their browser, such as configured authentication tokens or session cookies (Synopsys Blog).

The vulnerability has been fixed in a patch released through GitHub. Users should update to the patched version of OpenTSDB. The fix was implemented in April 2023 and confirmed by Black Duck (GitHub PR, Synopsys Blog).