CVE-2015-6972

Ignite Realtime Openfire 3.10.2 - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-6972. PoCs published by hyp3rlinx.

AI-analyzed exploit summary The document describes multiple XSS vulnerabilities in Openfire 3.10.2, including persistent XSS via 'groupchatName' and 'urlName' parameters, and reflected XSS via 'hostname' and 'search' parameters. It provides URLs and payloads for exploitation but does not include executable code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp.

Exploits (1)

exploitdb WRITEUP
by hyp3rlinx · textwebappsjsp
https://www.exploit-db.com/exploits/38191

The document describes multiple XSS vulnerabilities in Openfire 3.10.2, including persistent XSS via 'groupchatName' and 'urlName' parameters, and reflected XSS via 'hostname' and 'search' parameters. It provides URLs and payloads for exploitation but does not include executable code.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Openfire 3.10.2
Auth required
Prerequisites: Access to the Openfire admin interface · Valid session or authentication credentials
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201612-50
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38191/

Scores

EPSS 0.0800
EPSS Percentile 94.0%

Details

CWE
CWE-79
Status published
Products (1)
igniterealtime/openfire 3.10.2
Published Sep 16, 2015
Tracked Since Feb 18, 2026