Openfire 4.6.0 has Stored XSS vulnerabilities.
Stored XSS
http://127.0.0.1:9090/plugins/bookmarks/create-bookmark.jsp
payload and alert(document.cookie)
If you can’t trigger the leak, you need to install some default plug-ins.
My email is eXB0aG5vQGdtYWlsLmNvbQ== Please contact us if you have any questions.