ArchLinux: 201612-21: openfire: multiple issues
Summary
- CVE-2015-6972 (cross-site scripting)
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime
Openfire 3.10.2 allow remote attackers to inject arbitrary web script
or HTML via the (1) groupchatName parameter to
plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to
plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter
to server-session-details.jsp; or the (4) search parameter to group-
summary.jsp.
- CVE-2015-6973 (cross-site request forgery)
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite
Realtime Openfire 3.10.2 allow remote attackers to hijack the
authentication of administrators for requests that (1) change a
password via a crafted request to user-password.jsp, (2) add users via
a crafted request to user-create.jsp, (3) edit server settings or (4)
disable SSL on the server via a crafted request to server-props.jsp, or
(5) add clients via a crafted request to
plugins/clientcontrol/permitted-clients.jsp.
- CVE-2015-7707 (privilege escalation)
Ignite Realtime Openfire 3.10.2 allows remote authenticated users to
gain administrator access via the isadmin parameter to user-edit-
form.jsp.
Resolution
Upgrade to 4.1.0-1.
# pacman -Syu "openfire>=4.1.0-1"
The problems have been fixed upstream in version 4.1.0.
References
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt https://igniterealtime.atlassian.net/browse/OF-942 http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt https://igniterealtime.atlassian.net/browse/OF-941 https://security.archlinux.org/CVE-2015-6972 https://security.archlinux.org/CVE-2015-6973 https://security.archlinux.org/CVE-2015-7707
Workaround
None.