CVE-2009-0496

Name of the Vulnerable Software and Affected Versions Ignite Realtime Openfire version 3.6.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different API endpoints, including "/logviewer.jsp", "/log.jsp", "/group-summary.jsp", "/user-properties.jsp", "/audit-policy.jsp", "/server-properties.jsp", and "/muc-room-edit-form.jsp". The vulnerable parameters include log, search, username, logDir, maxTotalSize, maxFileSize, maxDays, logTimeout, propName, roomconfig roomname, and roomconfig roomdesc. This can potentially be leveraged for arbitrary code execution by using the injected script to upload a malicious plugin.

Recommendations For Ignite Realtime Openfire version 3.6.2, update to a newer version that contains a fix for this issue to prevent arbitrary code execution and cross-site scripting attacks. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "/logviewer.jsp", "/log.jsp", "/group-summary.jsp", "/user-properties.jsp", "/audit-policy.jsp", "/server-properties.jsp", and "/muc-room-edit-form.jsp", and avoid using the vulnerable parameters until a patch is available.