Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-942 CVE-2015-6972 CVE-2015-6973 Admin Console Security Improvements
  3. OF-941

CVE-2015-7707 Admin Console Privilege Escalation Vulnerability

    XMLWordPrintable

    Details

      Description

      hyp3rlinx reported that Openfire v3.10.2 suffers from a privilege escalation vulnerability.

      Vulnerability Details:

      • No check is made when updating the user privileges, allowing regular user to become an admin.
      • Escalation can be done remotely too if user is logged in as no CSRF token exist.

      Exploit code(s):
      http://localhost:9090/user-edit-form.jsp?username=test02&save=true&name=test02&email=tim.durden+test02@surevine.com&isadmin=on

      Full Details: https://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html

        Attachments

          Activity

            People

            • Assignee:
              dwd Dave Cridland
              Reporter:
              wroot wroot
            • Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: