XSS vulnerability in Monitoring Service pages in Admin Console

Description

In the admin panel of openfire, if you go to Archiving to start a search for a conversation you will have a url something like this:

http://domain.tld/plugins/monitoring/archive-search.jsp?participant1=any&participant2=any&startDate=any&endDate=any&keywords=&submitForm=Search&start&range=&parseRange=

The folowing parameters are vulnerable to Reflected XSS(Cross Site Scripting):

participant1
participant2
startDate
endDate
keywords

Environment

None

Activity

Show:
Simon Waters
December 16, 2016, 3:08 PM

Can not reproduce this in 4.1beta. The injected strings are escaped and placed in the relevant fields if you manipulate the URL.

wroot
June 17, 2015, 9:58 AM

There is a report that the issue is not fixed yet: https://community.igniterealtime.org/thread/56022

Tom Evans
October 31, 2014, 7:25 PM

Refer to PR #96.

Fixed

Assignee

Tom Evans

Reporter

wroot