Kindly reported to Openfire Security Email List by Sven Tantau
If anonymous registration via xmpp server is enabled, an attacker can
generate one user that contains javascript payload inside the 'name'
parameter.
Once the administrator with access to the openfire webinterface looks
at the list of users, the payload would run.