CVE-2017-15911 – org.igniterealtime.openfire:parent

Package

Manager: maven
Name: org.igniterealtime.openfire:parent
Vulnerable Version: >=0 <4.1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00425 pctl0.61391

Details

Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.

Metadata

Created: 2022-05-17T00:23:24Z
Modified: 2022-11-22T19:20:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v3h2-4j2r-wqj8/GHSA-v3h2-4j2r-wqj8.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-v3h2-4j2r-wqj8
Finding: F008
Auto approve: 1