The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Ignite Openfire

vulnerability alert 28281

Openfire: Cross Site Scripting via LDAP Setup Pages

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via LDAP Setup Pages of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/01/2019.
Identifiers: VIGILANCE-VUL-28281.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data via LDAP Setup Pages before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via LDAP Setup Pages of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-11688

Openfire: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/06/2018.
Identifiers: CVE-2018-11688, VIGILANCE-VUL-26320.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 25653

Openfire: Cross Site Scripting via Property Name

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Property Name of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 26/03/2018.
Identifiers: VIGILANCE-VUL-25653.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via Property Name of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-15911

Openfire: Cross Site Scripting via setup-host-settings.jsp

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via setup-host-settings.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/11/2017.
Identifiers: CVE-2017-15911, OF-1250, OF-1400, OF-1417, VIGILANCE-VUL-24489.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data via setup-host-settings.jsp before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via setup-host-settings.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 22651

Openfire: SQL injection via the DBAccess plugin

Synthesis of the vulnerability

An attacker can use a SQL injection via DBAccess of Openfire, in order to read or alter data.
Impacted products: Openfire.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 05/05/2017.
Identifiers: VIGILANCE-VUL-22651.

Description of the vulnerability

The Openfire product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection via DBAccess of Openfire, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 21897

Openfire: denial of service via SASL

Synthesis of the vulnerability

When authentication is delegated, an attacker can start an authentication attempt via SASL from Openfire, in order to trigger a denial of service.
Impacted products: Openfire.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 20/02/2017.
Identifiers: VIGILANCE-VUL-21897.

Description of the vulnerability

When authentication is delegated, an attacker can start an authentication attempt via SASL from Openfire, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-7707

Openfire: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Openfire.
Impacted products: Openfire.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 22/12/2016.
Identifiers: CVE-2015-7707, VIGILANCE-VUL-21456.

Description of the vulnerability

Several vulnerabilities were announced in Openfire.

An attacker can trigger a Cross Site Request Forgery via the administration console, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger several Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a stored Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]

An ordinary user can grant administration rights to himself. [severity:3/4; CVE-2015-7707]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 20676

Openfire: Cross Site Scripting via setup-admin-settings_test.jsp

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via setup-admin-settings_test.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 22/09/2016.
Identifiers: VIGILANCE-VUL-20676.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via setup-admin-settings_test.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 20418

Openfire: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/08/2016.
Identifiers: OF-1165, VIGILANCE-VUL-20418.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data on the "advance-user-search.jsp" page before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 20026

Openfire: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Openfire.
Impacted products: Openfire.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 05/07/2016.
Identifiers: VIGILANCE-VUL-20026.

Description of the vulnerability

Several vulnerabilities were announced in Openfire.

An attacker can trigger a Cross Site Scripting via server2server-settings.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via advance-user-search.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via search-props-edit-form.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via page create-bookmark.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via audit-policy.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via import-keystore-certificate.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via advance-user-search.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Request Forgery via connection-settings-external-components.jsp, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Request Forgery via client-connections-settings.jsp, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Request Forgery via server-properties.jsp, in order to force the victim to perform operations. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Ignite Openfire: