Hi, I’d like to report a bug. There’s a reflected XSS in openfire 3.6.4. I verified this by requesting:
[http://www.example.com:9090/plugins/search/advance-user-search.jsp?criteria=](http://www.example.com:9090/plugins/search/advance-user-search.jsp?criteria=)"><script>alert(*/xss/*)</script>
3.7.0 beta does not appear to be affected.
Speaking of the beta, are there plans to integrate the beta's fix for the login page XSS into the 3.6.x branch?
Thanks in advance
Brian
I am not sure what you imply by ‘supported version’. There are not dedicated resources to develop openfire, only a few of use that push things forward when we have a need / chance to. 3.7.0 beta is the only release I personally care about.