Hi, I’d like to report a bug. There’s a reflected XSS in openfire 3.6.4. I verified this by requesting:
[http://www.example.com:9090/plugins/search/advance-user-search.jsp?criteria=](http://www.example.com:9090/plugins/search/advance-user-search.jsp?criteria=)"><script>alert(*/xss/*)</script>
3.7.0 beta does not appear to be affected.
Speaking of the beta, are there plans to integrate the beta's fix for the login page XSS into the 3.6.x branch?
Thanks in advance
Brian
Hi Brian,
There are no plans to continue the 3.6.x branch. If somebody wants to step up to do that, that’d be great.
daryl
Thanks for the quick reply. Just to be clear - the only supported version at this point is 3.7.0 beta, correct?
Brian
I am not sure what you imply by ‘supported version’. There are not dedicated resources to develop openfire, only a few of use that push things forward when we have a need / chance to. 3.7.0 beta is the only release I personally care about.
daryl