GHSA-v3h2-4j2r-wqj8

Suggest an improvement
Source
https://github.com/advisories/GHSA-v3h2-4j2r-wqj8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v3h2-4j2r-wqj8/GHSA-v3h2-4j2r-wqj8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v3h2-4j2r-wqj8
Aliases
Published
2022-05-17T00:23:24Z
Modified
2023-11-08T03:58:59.035720Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console
Details

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.

References

Affected packages

Maven / org.igniterealtime.openfire:parent

Package

Name
org.igniterealtime.openfire:parent
View open source insights on deps.dev
Purl
pkg:maven/org.igniterealtime.openfire/parent

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1.7