Exploitation Summary
EIP tracks 3 public exploits for CVE-2009-0496. PoCs published by Federico Muttis.
AI-analyzed exploit summary The provided text describes a cross-site scripting (XSS) vulnerability in Openfire 3.6.2, where user-supplied input is not properly sanitized. The example URL demonstrates how an attacker could inject arbitrary script code via the 'username' parameter.
Description
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) log parameter to (a) logviewer.jsp and (b) log.jsp; (2) search parameter to (c) group-summary.jsp; (3) username parameter to (d) user-properties.jsp; (4) logDir, (5) maxTotalSize, (6) maxFileSize, (7) maxDays, and (8) logTimeout parameters to (e) audit-policy.jsp; (9) propName parameter to (f) server-properties.jsp; and the (10) roomconfig_roomname and (11) roomconfig_roomdesc parameters to (g) muc-room-edit-form.jsp. NOTE: this can be leveraged for arbitrary code execution by using XSS to upload a malicious plugin.
Exploits (3)
The provided text describes a cross-site scripting (XSS) vulnerability in Openfire 3.6.2, where user-supplied input is not properly sanitized. The example URL demonstrates how an attacker could inject arbitrary script code via the 'username' parameter.
This exploit demonstrates a cross-site scripting (XSS) vulnerability in Openfire by injecting malicious script code via the 'log' parameter in log.jsp. The payload uses an img tag with an onerror event to execute arbitrary JavaScript.
The provided text describes a cross-site scripting (XSS) vulnerability in Openfire 3.6.2, where insufficient input sanitization allows arbitrary script execution in a user's browser context. The example URL demonstrates the vulnerability but does not include executable exploit code.