Back to all zero days
Multiple Reflected Cross-Site Scripting (XSS) in Openfire Product
31st Dec, 2019
Proof of concept: (POC)
The following vulnerability was tested on Openfire version 4.4.4 Product.
Issue 01: The GET Request “search” variable in the URL http://localhost:9090/user-groups.jsp?search=test&username=admin is failing to validate XSS payload in the client-side, which results in reflected cross-site scripting.
Figure 01: Groups name is searching with the help Search by name button. (here the search is ‘reflected XSS’).
Figure 02: Add XSS payload to the variable “search.”
Figure 03: HTTP Response for the modified “search” variable with XSS payload.
Figure 04: Injected XSS payload, "onmouseover=alert(/xss/)// gets reflected in the browser response.
- Stealing cookies
- End-user files disclosure.
- Redirection of the user to some other page or site.
Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting to the browser and storing it in the database. Implement client-side validation.
Dec 30, 2019: Vulnerability Discovered in OpenFire
Dec 31, 2019: Vulnerability Reported to Vendor
Dec 31, 2019: Vendor Responded
Dec 31, 2019: Vendor Released Fix
Jan 08, 2020: CVE Assigned
Cyber Security Works Pvt. Ltd.
- Affected VendorOpenfire
- Bug NameMultiple Reflected Cross-Site Scripting (XSS)
- CVE NumberCVE-2019-20365
- CWE IDCWE - 79
- CSW ID2019-CSW-12-1035
- CVSSv3 Score6.1
- Affected Version4.4.4
- Affected ProductIgnite Realtime