CVE-2017-15911 Information
Feb 14, 2021
cve
Description
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections injection of iframes to establish communication channels etc. The vulnerability is present after login into the application.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Reference
https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html https://issues.igniterealtime.org/browse/OF-1417
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction Required
HIGH
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
4.8
Share on: