CVE-2017-15911
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
La consola de administrador en Ignite Realtime Openfire Server en versiones anteriores a la 4.1.7 permite la ejecución arbitraria de código JavaScript del lado del cliente en víctimas que hagan clic en un enlace setup/setup-host-settings.jsp?domain= manipulado. Esto también se conoce como XSS. El robo de ID o datos de sesión podría ocurrir a continuación, así como la posibilidad de omitir las protecciones anti CSRF, la inyección de iframes para establecer canales de comunicación, etc. La vulnerabilidad está presente tras iniciar sesión en la aplicación.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-25 CVE Reserved
- 2017-10-26 CVE Published
- 2023-09-05 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html | Issue Tracking |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://issues.igniterealtime.org/browse/OF-1417 | 2017-11-17 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Igniterealtime Search vendor "Igniterealtime" | Openfire Search vendor "Igniterealtime" for product "Openfire" | <= 4.1.6 Search vendor "Igniterealtime" for product "Openfire" and version " <= 4.1.6" | - |
Affected
|