CVE-2020-24604

Name of the Vulnerable Software and Affected Versions Ignite Realtime Openfire version 4.5.1

Description A Reflected XSS issue was discovered, allowing remote attackers to inject arbitrary web script or HTML via the GET request parameters searchName, searchValue, searchDescription, searchDefaultValue, searchPlugin, and searchDynamic in the "server-properties.jsp" and "security-audit-viewer.jsp" pages.

Recommendations For Ignite Realtime Openfire version 4.5.1, consider restricting access to the vulnerable parameters searchName, searchValue, searchDescription, searchDefaultValue, searchPlugin, and searchDynamic in the affected pages until a patch is available. As a temporary workaround, avoid using these parameters in the GET requests to the "server-properties.jsp" and "security-audit-viewer.jsp" pages.