Admin console (XSS) vulnerability lets attacker change admin password or create new admin
This expoit use multiple vulnerabilites in Openfire.
Openfire admin must visit exploit link.
Attacker can create new admin or change admin password.
But there is no real exploit code example except of the paid one.
cloned for the CSRF work
Moving unfixed 3.9.2 issues to 3.9.3 for consideration.
Yes, the pending pull request addresses part of the documented vulnerability (XSS). I have reviewed it, and will merge it into the master before the 3.9.2 release is shipped.