The following parameters were identified (by @SimonWaters, Surevine - 5th Aug 2014) as being vulnerable to reflected XSS (Cross Site Scripting):
/dwr/exec/downloader.updatePluginsList.dwr [c0-id parameter]
/external-components-settings.jsp [secret parameter]
/external-components-settings.jsp [subdomain parameter]
/group-summary.jsp [search parameter]
/server2server-settings.jsp [remotePort parameter]
/setup/setup-admin-settings.jsp [email parameter]
/setup/setup-admin-settings.jsp [newPassword parameter]
/setup/setup-admin-settings.jsp [newPasswordConfirm parameter]
/setup/setup-admin-settings.jsp [password parameter]
This ticket was originally a collection of issues raised, but has been updated to focus only on reflected XSS (high priority) issues.
Florian Nivette of Sysdream provided a report with additional XSS vulnerabilities. I've attached them to this issue.
In 4.1beta testing suggests only these remains:
/group-summary.jsp
/setup/setup-admin-settings.jsp
Both also lack CSRF (probably not needed for "search" in group-summary), but means they may be more readily exploited by remote attackers.
Set-up issues are not obviously exploitable after set-up is complete and the openfire.xml file has "<setup>true</setup>"
I can't make head or tail of this DWR stuff. It's thoroughly buried in layers of Javascript.
Simon implies that the DWR case here is closed, but I think that's in error - we've done nothing that would close it.
Closing this as covers this.