Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

XSS vulnerability in Monitoring Service pages in Admin Console

Description

In the admin panel of openfire, if you go to Archiving to start a search for a conversation you will have a url something like this:

http://domain.tld/plugins/monitoring/archive-search.jsp?participant1=any&participant2=any&startDate=any&endDate=any&keywords=&submitForm=Search&start&range=&parseRange=

The folowing parameters are vulnerable to Reflected XSS(Cross Site Scripting):

participant1
participant2
startDate
endDate
keywords

Environment

None

Activity

Show:

Simon Waters December 16, 2016 at 3:08 PM

Can not reproduce this in 4.1beta. The injected strings are escaped and placed in the relevant fields if you manipulate the URL.

wroot June 17, 2015 at 9:58 AM

There is a report that the issue is not fixed yet: https://community.igniterealtime.org/thread/56022

Tom Evans October 31, 2014 at 7:25 PM

Refer to PR #96.

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

Created October 31, 2014 at 2:43 PM
Updated October 28, 2020 at 11:02 AM
Resolved December 16, 2016 at 4:03 PM