Описание
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
Ссылки
- Issue TrackingThird Party Advisory
- Issue TrackingVendor Advisory
- Issue TrackingThird Party Advisory
- Issue TrackingVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.1.6 (включая)
cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*
EPSS
Процентиль: 64%
0.00479
Низкий
4.8 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 4.8
github
больше 3 лет назад
Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console
EPSS
Процентиль: 64%
0.00479
Низкий
4.8 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79