Fortinet Discovers Ignite Realtime Openfire Cross-Site Scripting Vulnerability
Fortinet's FortiGuard Labs has discovered a reflected Cross-Site Scripting (XSS) vulnerability in Ignite Realtime Openfire.
Openfire is a realtime collaboration (RTC) server licensed under the Open Source Apache License. It uses the widely adopted open protocol for instant messaging, XMPP (also called Jabber).
A reflected XSS vulnerability has been discovered in Openfire 4.2.3 and earlier versions. It is caused by inadequate filtering on the search function.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Apr 17, 2019
No vendor patch is available for now and the vendor has no plan to fix it either.
Fortinet reported the vulnerability to Ignite Realtime on Dec 6, 2018.
Ignite Realtime confirmed the vulnerability on Apr 17, 2019.
This vulnerability was discovered by Zhouyuan Yang of Fortinet's FortiGuard Labs.