Why Should Schools Prioritize Cybersecurity?
Back to all zero days

Multiple Cross-Site Scripting (XSS) in Openfire Product

Affected Vendor

Ignite Realtime Openfire




Feb 4, 2020

Medium Severity


 A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.

Proof of concept: (POC)

The following vulnerability was tested on Openfire version 4.5.0 Product.

Issue 01: Reflected cross-site scripting (POST Request)

Figure 01: System Properties page