Skip to:
Kindly reported to Openfire Security Email List by Sven Tantau
If anonymous registration via xmpp server is enabled, an attacker cangenerate one user that contains javascript payload inside the 'name'parameter.
Once the administrator with access to the openfire webinterface looksat the list of users, the payload would run.
Merged into master from pull request #1.
Kindly reported to Openfire Security Email List by Sven Tantau
If anonymous registration via xmpp server is enabled, an attacker can
generate one user that contains javascript payload inside the 'name'
parameter.
Once the administrator with access to the openfire webinterface looks
at the list of users, the payload would run.