powered by Jive Software

Stored Cross Site Scripting in Openfire 4.2.2 Admin Console

Dear Team,

We have found vulnerability on Openfire 4.2.2 admin console under Server --> Server Manager --> System Properties --> Add new property :

Property Name: test
Property Value: alert(1)

Save the Property, once it saved then under Security Audit Viewer you get the script execute.

I have just tried it and it didn’t execute. I have tried in Firefox. Can you provide more info or exact steps to reproduce? Does the browser matter?

Please find the attached snip.

you can try any Browser.

I see, so it’s the name (it was fixed for the value at some point, i think). Thanks for reporting. Filed as https://issues.igniterealtime.org/browse/OF-1518

Thanks for updating the Bug Report, can we get the timeline for closer of Bug.

I’m not a developer, can’t say when someone will look into this.

The ticket has been marked as fixed and the fix should be included in 4.2.3. Can’t say when it will be released though.

Hi Wroot,

Thanks for fixing the bug, waiting for new release of Openfire 4.2.3.

Venkatesh Manthena