CVE-2019-20364: Reflected XSS in Openfire 4.4.4

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user submits the crafted POST request with XSS Payload in Openfire 4.4.4 Product.

Vendor: Openfire
Affected Product: Ignite Realtime
CVE: CVE-2019-20364
Securin ID: 2019-CSW-12-1034
Status: Fixed
Date: December 31, 2019
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01The following vulnerability was tested on Openfire version 4.4.4 Product.02Issue 01: The GET Request “cacheName” variable in the URL http://192.168.0.155:9090//SystemCacheDetails.jsp is failing to validate XSS payload in client-side, which results in reflected cross-site scripting.03Figure 01: Select the cache name summary of all existing caches (here cacheName is ‘reflected XSS’).04Figure 02: Add XSS payload to the variable “cacheName.”05Figure 03: HTTP Response for the modified “cacheName” variable with XSS payload.06Figure 04: Injected XSS payload, </script>(document.cookie)</script> gets reflected in the browser response.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Medium

Stealing cookies

Medium

End-user files disclosure.

High

Redirection of the user to some other page or site.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting to the browser and storing it in the database. Implement client-side validation.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20364, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Dec 30, 2019

Vulnerability Discovered in OpenFire

Dec 31, 2019

Vulnerability Reported to Vendor

Dec 31, 2019

Vendor Responded

Dec 31, 2019

Vendor Released Fix

Jan 08, 2020

CVE Assigned

Disclosed 1 day after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20364

nvd.nist.gov/vuln/detail/CVE-2019-20364 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: Openfire
Affected Product: Ignite Realtime
CVE: CVE-2019-20364
Securin ID: 2019-CSW-12-1034
Status: Fixed
Date: December 31, 2019
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Medium

Stealing cookies

Medium

End-user files disclosure.

High

Redirection of the user to some other page or site.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20364, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Dec 30, 2019

Vulnerability Discovered in OpenFire

Dec 31, 2019

Vulnerability Reported to Vendor

Dec 31, 2019

Vendor Responded

Dec 31, 2019

Vendor Released Fix

Jan 08, 2020

CVE Assigned

Disclosed 1 day after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20364

nvd.nist.gov/vuln/detail/CVE-2019-20364 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Multiple Reflected Cross-Site Scripting in Openfire Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Vulnerability Discovered in OpenFire

Vulnerability Reported to Vendor

Vendor Responded

Vendor Released Fix

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2019-20364

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in Openfire Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Vulnerability Discovered in OpenFire

Vulnerability Reported to Vendor

Vendor Responded

Vendor Released Fix

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2019-20364

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in Openfire Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Discovered in OpenFire

Vulnerability Reported to Vendor

Vendor Responded

Vendor Released Fix

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2019-20364

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in Openfire Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Discovered in OpenFire

Vulnerability Reported to Vendor

Vendor Responded

Vendor Released Fix

CVE Assigned

Cite, verify, go deeper.

NVD — CVE-2019-20364

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.