|
|
CVE Reference: CVE-2009-0496 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2009-0496 |
|
|
Description: Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) log parameter to (a) logviewer.jsp and (b) log.jsp; (2) search parameter to (c) group-summary.jsp; (3) username parameter to (d) user-properties.jsp; (4) logDir, (5) maxTotalSize, (6) maxFileSize, (7) maxDays, and (8) logTimeout parameters to (e) audit-policy.jsp; (9) propName parameter to (f) server-properties.jsp; and the (10) roomconfig_roomname and (11) roomconfig_roomdesc parameters to (g) muc-room-edit-form.jsp. NOTE: this can be leveraged for arbitrary code execution by using XSS to upload a malicious plugin. |
|
|
CVE Status: Candidate |
|
|
References: XF http://xforce.iss.net/xforce/xfdb/47845 http://xforce.iss.net/xforce/xfdb/47834 http://xforce.iss.net/xforce/xfdb/47835 SAID Secunia Advisory: SA33452 MISC http://www.coresecurity.com/content/openfire-multiple-vulnerabilities CONFIRM http://www.igniterealtime.org/issues/browse/JM-1506 BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/499880/100/0/threaded BID 32935 32937 32938 32939 32940 32943 32944 |
|
| Return to the previous page. |
