CVE-2017-15911

Description

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jspdomain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.

Risk Information

Base Score

4.8

MODERATE

Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS Score

Exploitation Probability

0.479

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2017-15911 are fixed in Igniterealtime - parent 4.1.7	Windows
Vulnerabilities CVE-2017-15911 are fixed in Igniterealtime - parent for Linux 4.1.7	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234