Securin Zero-Days

CVE-2020-24602 – Multiple Cross-Site Scripting in Openfire Product

Severity:Medium

Vendor

Openfire

Affected Product

Ignite Realtime Openfire

CVE

CVE-2020-24602

Securin ID

2020-CSW-01-1040

Status

Fixed

Date

February 4, 2020

Description

ย A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a userโ€™s browser while the browser is connected to a trusted web site. The application targets your applicationโ€™s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.

Proof of Concept (POC):

The following vulnerability was tested on Openfire version 4.5.0 Product.

Issue 01: Reflected cross-site scripting (POST Request)

Figure 01: System Properties page

 

Figure 02: Request to the server with malicious payload > in the parameter โ€˜action.โ€™

 

Figure 03: Malicious JavaScript payload is executed on the victimโ€™s browser

Impact

  • Stealing cookies
  • End-user files disclosure.
  • Redirection of the user to some other page or site.

Remediations

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting to the browser and storing it in the database. Implement client-side validation.

Timeline

Feb 04, 2020: Vulnerability Discovered by CSW Security Researcher.

Feb 05, 2020: Vulnerability Reported to Vendor

Feb 06, 2020: Vendor responded with bug tracker Links

Feb 13, 2020: Follow up with vendor for fix release

Mar 01, 2020: Follow up with Vendor for fix release

Mar 06,ย 2020: Vendor responded with released fix

Aug 20, 2020: Request for CVE

Aug 24,ย 2020: CVE Assigned

Sep 01, 2020: Vendor Updated CVE in the bug tracker and Request for an update in CVE

Sep 02,ย 2020: CVE Published in NVD

Let Securin level up your security posture!