Miggo Logo

CVE-2019-15488: Cross-site Scripting in Ignite Realtime Openfire

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.44806%
Published
8/27/2019
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.igniterealtime.openfire:xmppservermaven< 4.4.14.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped reflection of user input in the LDAP setup test interface. The pull request #1441 specifically mentions fixing XSS in this context by sanitizing output. While exact code diffs aren't available, JSP pages handling admin/LDAP configuration are typical locations for this vulnerability pattern. The commit message explicitly references the LDAP admin user test flow as the vulnerable component, and reflected XSS would require unsanitized output of request parameters in the response.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

I*nit* R**ltim* Op*n*ir* ***or* *.*.* **s r**l**t** XSS vi* *n L**P s*tup t*st.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** r**l**tion o* us*r input in t** `L**P` s*tup t*st int*r****. T** pull r*qu*st #**** sp**i*i**lly m*ntions *ixin* XSS in t*is *ont*xt *y s*nitizin* output. W*il* *x**t *o** *i**s *r*n't *v*il**l*, `JSP` p***s **n