Fortinet Discovers Ignite Realtime Openfire Cross-Site Scripting Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a reflected Cross-Site Scripting (XSS) vulnerability in Ignite Realtime Openfire.
Openfire is a realtime collaboration (RTC) server licensed under the Open Source Apache License. It uses the widely adopted open protocol for instant messaging, XMPP (also called Jabber).
A reflected XSS vulnerability has been discovered in Openfire Search Plugin 1.7.2 and earlier versions. It is caused by inadequate filtering on the search function.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:IgniteRealtime.Openfire.Search.XSS
Released Apr 17, 2019
Users should apply the solution provided by Ignite Realtime.
Timeline
Fortinet reported the vulnerability to Ignite Realtime on Dec 6, 2018.
Ignite Realtime confirmed the vulnerability on Apr 17, 2019.
Ignite Realtime patched the vulnerability on Sept 25, 2019.