Securin Zero-Days
CVE-2020-24604 - Multiple Cross Site Scripting in Openfire Product
Description
A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.
Proof of Concept (POC):
The following vulnerability was tested on Openfire version 4.5.0 Product.
Issue 01: Stored cross-site scripting
Figure 01: Import CA Certificate page with malicious payload “> in alias parameter
Figure 02: Malicious JavaScript payload is executed on the victim’s browser every time this page is visited
Impact
- Stealing cookies
- End-user files disclosure.
- Redirection of the user to some other page or site.
Remediations
Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting the browser and storing in the database. Implement client-side validation.
Timeline
