Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Igniterealtime | Openfire | 3.10.2 |
Related Weaknesses (CWE)
References
- http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt
- http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-ScriptingExploit
- https://security.gentoo.org/glsa/201612-50
- https://www.exploit-db.com/exploits/38191/Exploit
- http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt
- http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-ScriptingExploit
- https://security.gentoo.org/glsa/201612-50
- https://www.exploit-db.com/exploits/38191/Exploit
FAQ
What is CVE-2015-6972?
CVE-2015-6972 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clie...
How severe is CVE-2015-6972?
CVE-2015-6972 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-6972?
Check the references section above for vendor advisories and patch information. Affected products include: Igniterealtime Openfire.