Securin Zero-Days

CVE-2020-24604 – Multiple Cross Site Scripting in Openfire Product

Severity:Medium

Vendor

Openfire

Affected Product

Ignite Realtime Openfire

CVE

CVE-2020-24604

Securin ID

2020-CSW-01-1041

Status

Fixed

Date

February 5, 2020

Description

A cross-site scripting (XSS) attack can cause arbitrary code (javascript) to run in a userโ€™s browser while the browser is connected to a trusted web site. The application targets your applicationโ€™s users and not the application itself, but it uses your application as the vehicle for the attack. XSS payload is executed whenever the user views the crafted POST request with XSS Payload in Openfire 4.5.0 Product.

Proof of Concept (POC):

The following vulnerability was tested on Openfire version 4.5.0 Product.

Issue 01: Stored cross-site scripting

Figure 01: Import CA Certificate page with malicious payload โ€œ> in alias parameter

 

Figure 02: Malicious JavaScript payload is executed on the victimโ€™s browser every time this page is visited

Impact

  • Stealing cookies
  • End-user files disclosure.
  • Redirection of the user to some other page or site.

Remediations

Perform context-sensitive encoding of untrusted input before it is echoed back to a browser by using an encoding library. Implement input validation for special characters on all the variables that are reflecting the browser and storing in the database. Implement client-side validation.

Timeline

Feb 04, 2020: Vulnerability Discovered by CSW Security Researcher.

Feb 05, 2020: Vulnerability Reported to Vendor

Feb 06, 2020: Vendor responded with bug tracker Links

Feb 13, 2020: Follow up with vendor for fix release

Mar 01, 2020: Follow up with Vendor for fix release

Mar 06,ย 2020: Vendor responded with released fix

Aug 20, 2020: Request for CVE

Aug 24,ย 2020: CVE Assigned

Sep 01, 2020: Vendor Updated CVE in the bug tracker and Request for an update in CVE

Sep 02,ย 2020: CVE Published in NVD

Let Securin level up your security posture!