Mail
1
Dear Team,
We have found vulnerability on Openfire 4.2.2 admin console under Server --> Server Manager --> System Properties --> Add new property :
Property Name: test
Property Value: alert(1)
Save the Property, once it saved then under Security Audit Viewer you get the script execute.
wroot
2
I have just tried it and it didn’t execute. I have tried in Firefox. Can you provide more info or exact steps to reproduce? Does the browser matter?
Mail
3
Please find the attached snip.
you can try any Browser.
wroot
4
I see, so it’s the name (it was fixed for the value at some point, i think). Thanks for reporting. Filed as https://issues.igniterealtime.org/browse/OF-1518
Mail
5
Thanks for updating the Bug Report, can we get the timeline for closer of Bug.
wroot
6
I’m not a developer, can’t say when someone will look into this.
wroot
7
The ticket has been marked as fixed and the fix should be included in 4.2.3. Can’t say when it will be released though.
Mail
8
Hi Wroot,
Thanks for fixing the bug, waiting for new release of Openfire 4.2.3.
Regards,
Venkatesh Manthena