[arch-security] [ASA-201612-21] openfire: multiple issues
Santiago Torres-Arias
santiago at archlinux.org
Tue Dec 27 18:45:18 UTC 2016
Arch Linux Security Advisory ASA-201612-21
==========================================
Severity: High
Date : 2016-12-23
CVE-ID : CVE-2015-6972 CVE-2015-6973 CVE-2015-7707
Package : openfire
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-15
Summary
=======
The package openfire before version 4.1.0-1 is vulnerable to multiple
issues including privilege escalation, cross-site request forgery and
cross-site scripting.
Resolution
==========
Upgrade to 4.1.0-1.
# pacman -Syu "openfire>=4.1.0-1"
The problems have been fixed upstream in version 4.1.0.
Workaround
==========
None.
Description
===========
- CVE-2015-6972 (cross-site scripting)
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime
Openfire 3.10.2 allow remote attackers to inject arbitrary web script
or HTML via the (1) groupchatName parameter to
plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to
plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter
to server-session-details.jsp; or the (4) search parameter to group-
summary.jsp.
- CVE-2015-6973 (cross-site request forgery)
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite
Realtime Openfire 3.10.2 allow remote attackers to hijack the
authentication of administrators for requests that (1) change a
password via a crafted request to user-password.jsp, (2) add users via
a crafted request to user-create.jsp, (3) edit server settings or (4)
disable SSL on the server via a crafted request to server-props.jsp, or
(5) add clients via a crafted request to
plugins/clientcontrol/permitted-clients.jsp.
- CVE-2015-7707 (privilege escalation)
Ignite Realtime Openfire 3.10.2 allows remote authenticated users to
gain administrator access via the isadmin parameter to user-edit-
form.jsp.
Impact
======
A remote attacker is able to escalate privileges, perform cross-site
request forgery and cross-site scripting.
References
==========
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt
https://igniterealtime.org/issues/browse/OF-942
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt
https://issues.igniterealtime.org/browse/OF-941
https://security.archlinux.org/CVE-2015-6972
https://security.archlinux.org/CVE-2015-6973
https://security.archlinux.org/CVE-2015-7707
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20161227/20ba4d36/attachment.asc>
More information about the arch-security
mailing list