CVE-2019-20366: Reflected XSS in Openfire 4.4.4

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user submits the crafted POST request with XSS Payload in Openfire 4.4.4 Product.

Vendor: Openfire
Affected Product: Ignite Realtime
CVE: CVE-2019-20366
Securin ID: 2019-CSW-12-1036
Status: Fixed
Date: December 31, 2019
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01The following vulnerability was tested on Openfire version 4.4.4 Product.02Issue 01: The GET Request “isTrustStore” variable in the URL http://localhost:9090/security-certificate-details.jsp?connectionType=SOCKET_S2S&alias=TEST-103 _rsa&isTrustStore=false are failing to validate XSS payload in client side which results in reflected cross site scripting.03Figure 01: IsTrustStore value is reflected inside a tag parameter between double quotes (here isTrustStore is ‘reflected XSS’).04Figure 02: Add XSS payload to the variable “isTrustStore.”05Figure 03: HTTP Response for the modified “isTrustStore” variable with XSS payload.06Figure 04: Injected XSS payload, “onmouseover=alert(/xss/)// gets reflected in the browser response.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Medium

Stealing cookies

Medium

End-user files disclosure.

High

Redirection of the user to some other page or site.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting the browser and storing in the database. Implement client-side validation.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20366, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Dec 31, 2019

Discovered in Openfire product.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20366

nvd.nist.gov/vuln/detail/CVE-2019-20366 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: Openfire
Affected Product: Ignite Realtime
CVE: CVE-2019-20366
Securin ID: 2019-CSW-12-1036
Status: Fixed
Date: December 31, 2019
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Medium

Stealing cookies

Medium

End-user files disclosure.

High

Redirection of the user to some other page or site.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2019-20366, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Dec 31, 2019

Discovered in Openfire product.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2019-20366

nvd.nist.gov/vuln/detail/CVE-2019-20366 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Multiple Reflected Cross-Site Scripting in Openfire Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Openfire product.

Cite, verify, go deeper.

NVD — CVE-2019-20366

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in Openfire Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Openfire product.

Cite, verify, go deeper.

NVD — CVE-2019-20366

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in Openfire Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Openfire product.

Cite, verify, go deeper.

NVD — CVE-2019-20366

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Reflected Cross-Site Scripting in Openfire Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Openfire product.

Cite, verify, go deeper.

NVD — CVE-2019-20366

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.