Signature Detail
Short Name |
HTTP:XSS:OPENFIRE-USER-CREATE |
|---|---|
Severity |
High |
Recommended |
Yes |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Ignite Realtime Openfire user-create.jsp Cross-Site Request Forgery |
Release Date |
2015/10/07 |
Update Number |
2543 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Ignite Realtime Openfire user-create.jsp Cross-Site Request Forgery
A cross-site request forgery vulnerability has been reported in Openfire's user-create.jsp script. The vulnerability is due to insufficient CSRF protections. A remote, unauthenticated attacker can exploit this vulnerability by enticing a user with administrator privileges to visit a page which sends a request to user-create.jsp. Successful exploitation can result in adding arbitrary users.
References
- CVE: CVE-2015-6973