Download Ransomware Index Update Q1 2022
Back to all zero days

Multiple Reflected Cross-Site Scripting (XSS) in Openfire Product

Affected Vendor

Openfire

Status

Fixed

Date

Dec 31, 2019

Medium Severity

Description

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user submits the crafted POST request with XSS Payload in Openfire 4.4.4 Product.

Proof of concept: (POC)

The following vulnerability is tested on Openfire version 4.4.4 Product. 

Issue 01: Reflected cross-site scripting:

Figure 01: Save the import CA certificate alias information (here Alias is ‘reflected XSS’).

Figure 02: Add XSS payload to the variable “Alias.”

Figure 03: HTTP Response for the modified “alias” variable with the XSS payload.

Figure 04: Injected XSS payload, “><script>alert(document.cookie)</script>gets reflected in the browser response.

Impact

  • Stealing cookies 
  • End-user files disclosure. 
  • Redirection of the user to some other page or site.

Remediations

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting to the browser and storing it in the database. Implement client-side validation.

Timeline

Dec 30, 2019: Vulnerability Discovered in OpenFire

Dec 31, 2019: Vulnerability Reported to Vendor

Dec 31, 2019: Vendor Responded

Dec 31, 2019: Vendor Released Fix

Jan 08, 2020: CVE Assigned

Discovered by

Cyber Security Works Pvt. Ltd.


  • Affected VendorOpenfire
  • Bug NameMultiple Reflected Cross-Site Scripting (XSS)
  • CVE NumberCVE-2019-20363
  • CWE IDCWE - 79
  • CSW ID2019-CSW-12-1033
  • CVSSv3 Score6.1
  • Affected Version4.4.4
  • SeverityMedium
  • Affected ProductIgnite Realtime
fb icon twitter icon insta icon

Talk to CSW's team of experts to secure your landscape.