Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12M2gyLTRqMnItd3FqOM4AAYL9
Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
Permalink: https://github.com/advisories/GHSA-v3h2-4j2r-wqj8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12M2gyLTRqMnItd3FqOM4AAYL9
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 4.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-v3h2-4j2r-wqj8, CVE-2017-15911
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-15911
- https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html
- https://issues.igniterealtime.org/browse/OF-1417
- https://github.com/advisories/GHSA-v3h2-4j2r-wqj8
Affected Packages
maven:org.igniterealtime.openfire:parent
Dependent packages: 0Dependent repositories: 2
Downloads:
Affected Version Ranges: < 4.1.7
Fixed in: 4.1.7
All affected versions:
All unaffected versions: 4.2.0