#VU21739 Cross-site request forgery in Openfire - CVE-2015-6973
Published: October 12, 2019
Vulnerability identifier: #VU21739
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2015-6973
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Openfire
Openfire
Software vendor:
Ignite Realtime
Ignite Realtime
Description
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform various actions on behalf of the victim, such as change victim's password, create new users, edit server settings, etc.
Remediation
Install update from vendor's website.
External links
- http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt
- http://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html
- http://www.securityfocus.com/archive/1/536470/100/0/threaded
- https://security.gentoo.org/glsa/201612-50
- https://www.exploit-db.com/exploits/38192/