In the admin panel of openfire, if you go to Archiving to start a search for a conversation you will have a url something like this:
The folowing parameters are vulnerable to Reflected XSS(Cross Site Scripting):
participant1
participant2
startDate
endDate
keywords
Refer to PR #96.
There is a report that the issue is not fixed yet: https://community.igniterealtime.org/thread/56022
Can not reproduce this in 4.1beta. The injected strings are escaped and placed in the relevant fields if you manipulate the URL.