CVE-2020-24601 - Multiple Cross Site Scripting in Openfire Product
Vendor
Affected Product
CVE
Securin ID
Status
Date
Openfire
Ignite Realtime Openfire
CVE-2020-24601
2020-CSW-01-1039
Fixed
February 5, 2020
Description
A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.
Proof of Concept (POC):
The following vulnerability was tested on Openfire version 4.5.0 Product.
Issue 01: Reflected cross-site scripting
Figure 01: Injected XSS payload ‘+accesskey=’X’+onclick=’alert(document.cookie), gets reflected in the browser response.
Issue 02: Reflected cross-site scripting
Figure 02: Injected XSS payload ‘+accesskey=’X’+onclick=’alert(document.cookie), gets reflected in the browser response.
Impact
Stealing cookies
End-user files disclosure.
Redirection of the user to some other page or site.
Remediations
Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting the browser and storing in the database. Implement client-side validation.
Timeline
Feb 04, 2020
Vulnerability Discovered by CSW Security Researcher.
Feb 05, 2020
Vulnerability Reported to Vendor
Feb 06, 2020
Vendor responded with bug tracker Links
Feb 13, 2020
Follow up with vendor for fix release
Mar 01, 2020
Follow up with Vendor for fix release
Mar 06, 2020
Vendor responded with released fix
Aug 20, 2020
Request for CVE
Aug 24, 2020
CVE Assigned
Sep 01, 2020
Vendor Updated CVE in the bug tracker and Request for an update in CVE
