CVE-2017-15911

Name of the Vulnerable Software and Affected Versions Openfire Server versions prior to 4.1.7

Description The issue allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link. This can lead to session ID and data theft, bypassing CSRF protections, injection of iframes to establish communication channels, and other potential attacks.

Recommendations For versions prior to 4.1.7, update to version 4.1.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the setup-host-settings.jsp page until the update is applied. Avoid clicking on suspicious links, especially those with crafted domain parameters, to minimize the risk of exploitation.