CVE-2020-24601: Stored XSS in Openfire 4.5.1

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted web site. The application targets your application’s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.

Vendor: Openfire
Affected Product: Ignite Realtime Openfire
CVE: CVE-2020-24601
Securin ID: 2020-CSW-01-1039
Status: Fixed
Date: February 5, 2020
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01The following vulnerability was tested on Openfire version 4.5.0 Product.02Issue 01: Reflected cross-site scripting03Figure 01: Injected XSS payload ‘+accesskey=’X’+onclick=’alert(document.cookie), gets reflected in the browser response.04Issue 02: Reflected cross-site scripting05Figure 02: Injected XSS payload ‘+accesskey=’X’+onclick=’alert(document.cookie), gets reflected in the browser response.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Medium

Stealing cookies

Medium

End-user files disclosure.

High

Redirection of the user to some other page or site.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting the browser and storing in the database. Implement client-side validation.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-24601, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Feb 04, 2020

Vulnerability Discovered by CSW Security Researcher.

Feb 05, 2020

Vulnerability Reported to Vendor

Feb 06, 2020

Vendor responded with bug tracker Links

Feb 13, 2020

Follow up with vendor for fix release

Mar 01, 2020

Follow up with Vendor for fix release

Mar 06, 2020

Vendor responded with released fix

Aug 20, 2020

Request for CVE

Aug 24, 2020

CVE Assigned

Sep 01, 2020

Vendor Updated CVE in the bug tracker and Request for an update in CVE

Sep 02, 2020

CVE Published in NVD

Disclosed 31 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-24601

nvd.nist.gov/vuln/detail/CVE-2020-24601 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: Openfire
Affected Product: Ignite Realtime Openfire
CVE: CVE-2020-24601
Securin ID: 2020-CSW-01-1039
Status: Fixed
Date: February 5, 2020
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

Medium

Stealing cookies

Medium

End-user files disclosure.

High

Redirection of the user to some other page or site.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-24601, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Feb 04, 2020

Vulnerability Discovered by CSW Security Researcher.

Feb 05, 2020

Vulnerability Reported to Vendor

Feb 06, 2020

Vendor responded with bug tracker Links

Feb 13, 2020

Follow up with vendor for fix release

Mar 01, 2020

Follow up with Vendor for fix release

Mar 06, 2020

Vendor responded with released fix

Aug 20, 2020

Request for CVE

Aug 24, 2020

CVE Assigned

Sep 01, 2020

Vendor Updated CVE in the bug tracker and Request for an update in CVE

Sep 02, 2020

CVE Published in NVD

Disclosed 31 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-24601

nvd.nist.gov/vuln/detail/CVE-2020-24601 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Multiple Cross Site Scripting in Openfire Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Discovered by CSW Security Researcher.

Vulnerability Reported to Vendor

Vendor responded with bug tracker Links

Follow up with vendor for fix release

Follow up with Vendor for fix release

Vendor responded with released fix

Request for CVE

CVE Assigned

Vendor Updated CVE in the bug tracker and Request for an update in CVE

CVE Published in NVD

Cite, verify, go deeper.

NVD — CVE-2020-24601

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Cross Site Scripting in Openfire Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Stealing cookies

End-user files disclosure.

Redirection of the user to some other page or site.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Vulnerability Discovered by CSW Security Researcher.

Vulnerability Reported to Vendor

Vendor responded with bug tracker Links

Follow up with vendor for fix release

Follow up with Vendor for fix release

Vendor responded with released fix

Request for CVE

CVE Assigned

Vendor Updated CVE in the bug tracker and Request for an update in CVE

CVE Published in NVD

Cite, verify, go deeper.

NVD — CVE-2020-24601

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.