Openfire < 3.6.3 Multiple Vulnerabilities
High Nessus Network Monitor Plugin ID 4925
SynopsisThe remote host contains an application that is affected by multiple vulnerabilities.
DescriptionThe remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol. According to its version, the installation of Openfire or Wildfire is affected by multiple vulnerabilities :
- Multiple .jsp scripts namely, 'logviewer.jsp' (BID 32935), 'group-summary.jsp' (BID 32937), 'user-properties.jsp' (BID 32938), 'audit-policy.jsp' (BID 32939) and 'log.jsp' (BID 32940) fail to sanitize input supplied by authorized users, and hence are affected by cross-site scripting vulnerabilities.
- Pages 'security-audit-viewer.jsp', 'server-properties.js' (BID 32943) and 'muc-room-summary.jsp' (BID 32944) are affected by a stored cross-site scripting vulnerabilities. (BID 32943)
- log.jsp fails to sanitize input passed to the 'log' parameter by an authorized user, and hence it may be possible for an authenticated attacker to read arbitrary .log files. (BID 32945).
SolutionUpgrade to version 3.6.3 or higher.