CVE-2017-15911
Last modified
CVE-2017-15911 is a vulnerability of currently unknown severity. The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. EPSS estimates a 0.73% chance of exploitation in the next 30 days.
Description
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Igniterealtime | Openfire | <= 4.1.6 |
References
- https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.htmlIssue Tracking, Third Party Advisory
- https://issues.igniterealtime.org/browse/OF-1417Issue Tracking, Vendor Advisory
- https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.htmlIssue Tracking, Third Party Advisory
- https://issues.igniterealtime.org/browse/OF-1417Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-15911?
How severe is CVE-2017-15911?
How do I fix CVE-2017-15911?
Are you affected by CVE-2017-15911?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST