CVE-2017-15911: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

May 17, 2022 (updated November 22, 2022)

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.

References

becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html
github.com/advisories/GHSA-v3h2-4j2r-wqj8
issues.igniterealtime.org/browse/OF-1417
nvd.nist.gov/vuln/detail/CVE-2017-15911

Code Behaviors & Features

Detect and mitigate CVE-2017-15911 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →