Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console
Moderate severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Feb 2, 2023
Description
Published by the National Vulnerability Database
Oct 26, 2017
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Nov 22, 2022
Last updated
Feb 2, 2023
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
References