The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Openfire

computer vulnerability note CVE-2017-15911

Openfire: Cross Site Scripting via setup-host-settings.jsp

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via setup-host-settings.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/11/2017.
Identifiers: CVE-2017-15911, OF-1250, OF-1400, OF-1417, VIGILANCE-VUL-24489.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data via setup-host-settings.jsp before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via setup-host-settings.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 22651

Openfire: SQL injection via the DBAccess plugin

Synthesis of the vulnerability

An attacker can use a SQL injection via DBAccess of Openfire, in order to read or alter data.
Impacted products: Openfire.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 05/05/2017.
Identifiers: VIGILANCE-VUL-22651.

Description of the vulnerability

The Openfire product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection via DBAccess of Openfire, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 21897

Openfire: denial of service via SASL

Synthesis of the vulnerability

When authentication is delegated, an attacker can start an authentication attempt via SASL from Openfire, in order to trigger a denial of service.
Impacted products: Openfire.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 20/02/2017.
Identifiers: VIGILANCE-VUL-21897.

Description of the vulnerability

When authentication is delegated, an attacker can start an authentication attempt via SASL from Openfire, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-7707

Openfire: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Openfire.
Impacted products: Openfire.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 22/12/2016.
Identifiers: CVE-2015-7707, VIGILANCE-VUL-21456.

Description of the vulnerability

Several vulnerabilities were announced in Openfire.

An attacker can trigger a Cross Site Request Forgery via the administration console, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger several Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a stored Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]

An ordinary user can grant administration rights to himself. [severity:3/4; CVE-2015-7707]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 20676

Openfire: Cross Site Scripting via setup-admin-settings_test.jsp

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via setup-admin-settings_test.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 22/09/2016.
Identifiers: VIGILANCE-VUL-20676.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via setup-admin-settings_test.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 20418

Openfire: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 18/08/2016.
Identifiers: OF-1165, VIGILANCE-VUL-20418.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data on the "advance-user-search.jsp" page before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 20026

Openfire: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Openfire.
Impacted products: Openfire.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 05/07/2016.
Identifiers: VIGILANCE-VUL-20026.

Description of the vulnerability

Several vulnerabilities were announced in Openfire.

An attacker can trigger a Cross Site Scripting via server2server-settings.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via advance-user-search.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via search-props-edit-form.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via page create-bookmark.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via audit-policy.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via import-keystore-certificate.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Scripting via advance-user-search.jsp, in order to run JavaScript code in the context of the web site. [severity:2/4]

An attacker can trigger a Cross Site Request Forgery via connection-settings-external-components.jsp, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Request Forgery via client-connections-settings.jsp, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Request Forgery via server-properties.jsp, in order to force the victim to perform operations. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

vulnerability 18690

Openfire: Cross Site Scripting of muc-room-edit-form.jsp

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in muc-room-edit-form.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 12/01/2016.
Identifiers: OF-1022, VIGILANCE-VUL-18690.

Description of the vulnerability

The Openfire product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in muc-room-edit-form.jsp of Openfire, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-6972 CVE-2015-6973

Openfire: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Openfire.
Impacted products: Openfire.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 15/09/2015.
Identifiers: CVE-2015-6972, CVE-2015-6973, OF-1020, VIGILANCE-VUL-17890.

Description of the vulnerability

Several vulnerabilities were announced in Openfire.

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:2/4; CVE-2015-6973]

An attacker can upload a malicious file, in order for example to upload a Trojan. [severity:2/4]

An attacker can bypass security features, in order to escalate his privileges. [severity:2/4]

An attacker can download a file from internet, in order to create a file in the "openfire\plugins" directory. [severity:2/4]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2015-6972]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-3451 CVE-2015-2080

OpenFire: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenFire.
Impacted products: Openfire.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 23/04/2015.
Identifiers: CVE-2014-3451, CVE-2015-2080, OF-405, OF-845, VIGILANCE-VUL-16699.

Description of the vulnerability

Several vulnerabilities were announced in OpenFire.

An attacker can use a self-signed certificate as a Man-in-the-Middle, in order to read or alter data. [severity:2/4; CVE-2014-3451, OF-405]

An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:2/4; OF-845]

An attacker can read a memory fragment of Jetty, in order to obtain sensitive information (VIGILANCE-VUL-25851). [severity:2/4; CVE-2015-2080]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Openfire: