CVE-2015-7707

Ignite Realtime Openfire 3.10.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7707. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This exploit demonstrates a privilege escalation vulnerability in Openfire 3.10.2 by manipulating the 'isadmin' parameter in a GET request to grant admin privileges to a regular user. The exploit can be executed remotely if the user is logged in, as no CSRF token is required.

Description

Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp.

Exploits (1)

exploitdb WORKING POC
by hyp3rlinx · textwebappsjsp
https://www.exploit-db.com/exploits/38190

This exploit demonstrates a privilege escalation vulnerability in Openfire 3.10.2 by manipulating the 'isadmin' parameter in a GET request to grant admin privileges to a regular user. The exploit can be executed remotely if the user is logged in, as no CSRF token is required.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Openfire 3.10.2
Auth required
Prerequisites: User account on the target Openfire instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Issue Tracking x_refsource_misc
https://igniterealtime.org/issues/browse/OF-941
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201612-50
Exploit exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38190/

Scores

EPSS 0.0603
EPSS Percentile 92.4%

Details

CWE
CWE-264
Status published
Products (1)
igniterealtime/openfire 3.10.2
Published Oct 05, 2015
Tracked Since Feb 18, 2026