CVE-2017-15911

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-15911

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-15911.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-15911

Aliases

GHSA-v3h2-4j2r-wqj8

Published

2017-10-26T17:29:00Z

Modified

2024-09-03T01:45:48.993600Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.

References

Affected packages

Git / github.com/igniterealtime/openfire

Affected ranges

Type: GIT
Repo: https://github.com/igniterealtime/openfire
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

daf5ef478340c0f9d88dd43768d11f119f88c608

Affected versions

Other

attic/origin/master

attic/pubsub_clustering

attic/trunk

v3.*

v3.10.0

v3.9.2

v3.9.3

v4.*

v4.0.0

v4.0.0.beta

v4.1.0

v4.1.0beta

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6