A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a userโs browser while the browser is connected to a trusted web site. The application targets your applicationโs users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.
Securin Zero-Days
CVE-2020-24604 – Multiple Cross Site Scripting in Openfire Product
Severity:Medium
Vendor
Openfire
Affected Product
Ignite Realtime Openfire
CVE
CVE-2020-24604
Securin ID
2020-CSW-01-1041
Status
Fixed
Date
February 5, 2020
Description
Proof of Concept (POC):
The following vulnerability was tested on Openfire version 4.5.0 Product.
Issue 01: Stored cross-site scripting
Figure 01: Import CA Certificate page with malicious payload โ> in alias parameter
Figure 02: Malicious JavaScript payload is executed on the victimโs browser every time this page is visited
Impact
- Stealing cookies
- End-user files disclosure.
- Redirection of the user to some other page or site.
Remediations
Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting the browser and storing in the database. Implement client-side validation.
Timeline
Feb 04, 2020: Vulnerability Discovered by CSW Security Researcher.
Feb 05, 2020: Vulnerability Reported to Vendor
Feb 06, 2020: Vendor responded with bug tracker Links
Feb 13, 2020: Follow up with vendor for fix release
Mar 01, 2020: Follow up with Vendor for fix release
Mar 06,ย 2020: Vendor responded with released fix
Aug 20, 2020: Request for CVE
Aug 24,ย 2020: CVE Assigned
Sep 01, 2020: Vendor Updated CVE in the bug tracker and Request for an update in CVE
Sep 02,ย 2020: CVE Published in NVD