CVE-2018-11688

MEDIUM

Ignite Realtime Openfire < 3.9.2 - Cross-Site Scripting via Crafted URL

Title source: llm

Description

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

References (7)

Core 7

Core References

Patch x_refsource_confirm

https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a

View Patch ZIP pw:eip

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Jun/13

Exploit, Third Party Advisory x_refsource_misc

https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/542060/100/0/threaded

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Jun/24

Various Sources x_refsource_confirm

https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2

Scores

CVSS v3 6.1

EPSS 0.0242

EPSS Percentile 82.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

igniterealtime/openfire 3.7.1

org.igniterealtime.openfire/parent 0 - 3.9.2Maven

Published Jun 13, 2018

Tracked Since Feb 18, 2026