The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
References
Link | Resource |
---|---|
https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html | Issue Tracking Third Party Advisory |
https://issues.igniterealtime.org/browse/OF-1417 | Issue Tracking Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-10-26T17:00:00
Updated: 2017-10-26T16:57:01
Reserved: 2017-10-25T00:00:00
Link: CVE-2017-15911
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-10-26T17:29:00.377
Modified: 2017-11-17T13:47:51.110
Link: CVE-2017-15911
JSON object: View
Redhat Information
No data.
CWE