CVE-2018-11688

Public Exploit

Description

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

References

Link	Tags
http://seclists.org/fulldisclosure/2018/Jun/13	mailing list exploit third party advisory
https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688	third party advisory exploit
http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html	exploit vdb entry third party advisory
http://www.securityfocus.com/archive/1/542060/100/0/threaded	mailing list vdb entry third party advisory
http://seclists.org/fulldisclosure/2018/Jun/24	mailing list
https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2
https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a

Frequently Asked Questions

What is the severity of CVE-2018-11688?: CVE-2018-11688 has been scored as a medium severity vulnerability.
How to fix CVE-2018-11688?: To fix CVE-2018-11688, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2018-11688 being actively exploited in the wild?: It is possible that CVE-2018-11688 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~4% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

References

Frequently Asked Questions