PT-2015-7588 · Ignite Realtime · Openfire
Hyp3Rlinx
·
Published
2015-10-05
·
Updated
2017-07-01
·
CVE-2015-7707
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Ignite Realtime Openfire version 3.10.2
Description
The issue allows remote authenticated users to gain administrator access. This is achieved by exploiting the
isadmin parameter in the "user-edit-form.jsp" endpoint.Recommendations
For Ignite Realtime Openfire version 3.10.2, consider restricting access to the "user-edit-form.jsp" endpoint until a patch is available. As a temporary workaround, avoid using the
isadmin parameter in this endpoint to minimize the risk of exploitation.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openfire