Fortinet Discovers Ignite Realtime Openfire Cross-Site Scripting Vulnerability
Fortinet's FortiGuard Labs has discovered a reflected Cross-Site Scripting (XSS) vulnerability in Ignite Realtime Openfire.
Openfire is a realtime collaboration (RTC) server licensed under the Open Source Apache License. It uses the widely adopted open protocol for instant messaging, XMPP (also called Jabber).
A reflected XSS vulnerability has been discovered in Openfire Search Plugin 1.7.2 and earlier versions. It is caused by inadequate filtering on the search function.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Apr 17, 2019
Users should apply the solution provided by Ignite Realtime.
Fortinet reported the vulnerability to Ignite Realtime on Dec 6, 2018.
Ignite Realtime confirmed the vulnerability on Apr 17, 2019.
Ignite Realtime patched the vulnerability on Sept 25, 2019.
This vulnerability was discovered by Zhouyuan Yang of Fortinet's FortiGuard Labs.