Openfire Admin Console login.jsp XSS

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

A web application on the remote host has a cross-site scripting
vulnerability.

Description :

The Openfire admin console running on the remote host has a cross-site
scripting vulnerability. Input to the 'username' parameter of
'login.jsp' is not properly sanitized.

An attacker could exploit this by tricking a user into making a
specially crafted POST request, resulting in arbitrary script
execution in the user's browser.

This version of Openfire likely has other vulnerabilities, though
Nessus has not checked for those issues.

See also :

http://www.nessus.org/u?22eb6a7f

Solution :

Upgrade to Openfire 3.7.0 beta or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

Family: CGI abuses : XSS

Nessus Plugin ID: 51143 ()

Bugtraq ID:

CVE ID: