Cross-site scripting in Openfire - CVE-2020-24602

 

Cross-site scripting in Openfire - CVE-2020-24602

Published: September 2, 2020 / Updated: September 9, 2020


Vulnerability identifier: #VU46543
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-24602
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Ignite Realtime
Affected software:
Openfire

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in the Server Properties and Security Audit Viewer JSP page


How to mitigate CVE-2020-24602

Install update from vendor's website.

Sources