[manjaro-security] [arch-security] [ASA-201612-21] openfire: multiple issues

Santiago Torres-Arias santiago at archlinux.org
Tue Dec 27 19:45:18 CET 2016


Arch Linux Security Advisory ASA-201612-21
==========================================

Severity: High
Date    : 2016-12-23
CVE-ID  : CVE-2015-6972 CVE-2015-6973 CVE-2015-7707
Package : openfire
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-15

Summary
=======

The package openfire before version 4.1.0-1 is vulnerable to multiple
issues including privilege escalation, cross-site request forgery and
cross-site scripting.

Resolution
==========

Upgrade to 4.1.0-1.

# pacman -Syu "openfire>=4.1.0-1"

The problems have been fixed upstream in version 4.1.0.

Workaround
==========

None.

Description
===========

- CVE-2015-6972 (cross-site scripting)

Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime
Openfire 3.10.2 allow remote attackers to inject arbitrary web script
or HTML via the (1) groupchatName parameter to
plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to
plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter
to server-session-details.jsp; or the (4) search parameter to group-
summary.jsp.

- CVE-2015-6973 (cross-site request forgery)

Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite
Realtime Openfire 3.10.2 allow remote attackers to hijack the
authentication of administrators for requests that (1) change a
password via a crafted request to user-password.jsp, (2) add users via
a crafted request to user-create.jsp, (3) edit server settings or (4)
disable SSL on the server via a crafted request to server-props.jsp, or
(5) add clients via a crafted request to
plugins/clientcontrol/permitted-clients.jsp.

- CVE-2015-7707 (privilege escalation)

Ignite Realtime Openfire 3.10.2 allows remote authenticated users to
gain administrator access via the isadmin parameter to user-edit-
form.jsp.

Impact
======

A remote attacker is able to escalate privileges, perform cross-site
request forgery and cross-site scripting.

References
==========

http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt
https://igniterealtime.org/issues/browse/OF-942
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt
https://issues.igniterealtime.org/browse/OF-941
https://security.archlinux.org/CVE-2015-6972
https://security.archlinux.org/CVE-2015-6973
https://security.archlinux.org/CVE-2015-7707
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20161227/20ba4d36/attachment.pgp>


More information about the manjaro-security mailing list