We're updating the issue view to help you get more done. 

Anonymous registration permits name with javascript payload

Description

Kindly reported to Openfire Security Email List by Sven Tantau

If anonymous registration via xmpp server is enabled, an attacker can
generate one user that contains javascript payload inside the 'name'
parameter.

Once the administrator with access to the openfire webinterface looks
at the list of users, the payload would run.

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Tom Evans
April 17, 2014, 5:02 PM

Merged into master from pull request #1.

Fixed

Assignee

Guus der Kinderen

Reporter

Daryl Herzmann

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure