Miggo Logo

CVE-2019-20527: Ignite Realtime Openfire allows Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.63687%
Published
5/24/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.igniterealtime.openfire:parentmaven< 4.4.24.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped output of the serverURL parameter in setup-datasource-standard.jsp. The patch adds JSTL escaping (fn:escapeXml) to user-controlled values. The _jspService method (auto-generated JSP servlet entry point) would show in profilers when processing requests to this page. The specific code location handles direct output of the vulnerable parameter into HTML attributes without sanitization in the vulnerable version.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

I*nit* R**ltim* Op*n*ir* *.*.* *llows XSS vi* t** s*tup/s*tup-**t*sour**-st*n**r*.jsp s*rv*rURL p*r*m*t*r. T*is issu* w*s *ix** in v*rsion *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* t** `s*rv*rURL` p*r*m*t*r in `s*tup-**t*sour**-st*n**r*.jsp`. T** p*t** ***s JSTL *s**pin* (`*n:*s**p*Xml`) to us*r-*ontroll** v*lu*s. T** `_jspS*rvi**` m*t*o* (*uto-**n*r*t** JSP s*rvl*t *ntry point)