I stumbled on a xss vulnerability i openfire 3.4.5. After looking at the reported bugs and trying to find anything about it in the forum, I have concluded that this is a previously unknown vulnerability. The recommendation I’ve found is to post it in the forum, this just don’t feel right.
I wasn’t really going to post the information in the forum. Just hinting at the fact that someone working with openfire might want to set up a mail or similar point of contact for security issues. Posting security issues to an open forum is a really bad idea.
The project developers for Openfire are Daniel and Gato, so you might try looking them up. Also, the community group chat on Wed. at 10AM pacific is a good way to get in contact with the right people.