Sign-up

ID

VAR-201806-0919


CVE

CVE-2018-11688


TITLE

Ignite Realtime Openfire Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-006608

DESCRIPTION

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IgniteRealtimeOpenfire (formerly Wildfire) is a cross-platform open source real-time collaboration (RTC) server based on XMPP (formerly known as Jabber, instant messaging protocol) developed by Java in the Ignite Realtime community. It can build an efficient instant messaging server and support it. The number of tens of thousands of concurrent users

Trust: 2.16

sources: NVD: CVE-2018-11688 // JVNDB: JVNDB-2018-006608 // CNVD: CNVD-2018-14347

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-14347

AFFECTED PRODUCTS

vendor:igniterealtimemodel:openfirescope:eqversion:3.7.1

Trust: 1.6

vendor:ignite realtimemodel:openfirescope:eqversion:3.7.1

Trust: 0.8

vendor:igniterealtimemodel:igniterealtimescope:eqversion:3.7.1

Trust: 0.6

sources: CNVD: CNVD-2018-14347 // JVNDB: JVNDB-2018-006608 // CNNVD: CNNVD-201806-845 // NVD: CVE-2018-11688

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-11688
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-11688
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-14347
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201806-845
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-11688
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-14347
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-11688
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-14347 // JVNDB: JVNDB-2018-006608 // CNNVD: CNNVD-201806-845 // NVD: CVE-2018-11688

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-006608 // NVD: CVE-2018-11688

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-845

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201806-845

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-006608

PATCH
title:Openfireurl:http://www.igniterealtime.org/projects/openfire/index.jsp
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-006608

EXTERNAL IDS
db:NVDid:CVE-2018-11688
Trust: 3.0
db:PACKETSTORMid:148057
Trust: 2.4
db:JVNDBid:JVNDB-2018-006608
Trust: 0.8
db:CNVDid:CNVD-2018-14347
Trust: 0.6
db:CNNVDid:CNNVD-201806-845
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-14347 // 
            
            
            
            JVNDB: JVNDB-2018-006608 // 
            
            
            
            CNNVD: CNNVD-201806-845 // 
            
            
            
            NVD: CVE-2018-11688

REFERENCES
url:http://packetstormsecurity.com/files/148057/ignite-realtime-openfire-3.7.1-cross-site-scripting.html
Trust: 2.4
url:http://seclists.org/fulldisclosure/2018/jun/13
Trust: 1.6
url:http://www.securityfocus.com/archive/1/542060/100/0/threaded
Trust: 1.6
url:http://seclists.org/fulldisclosure/2018/jun/24
Trust: 1.6
url:https://github.com/igniterealtime/openfire/compare/v3.9.1...v3.9.2
Trust: 1.6
url:https://vulmon.com/vulnerabilitydetails?qid=cve-2018-11688
Trust: 1.6
url:https://github.com/igniterealtime/openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2018-11688
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11688
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2018-14347 // 
            
            
            
            JVNDB: JVNDB-2018-006608 // 
            
            
            
            CNNVD: CNNVD-201806-845 // 
            
            
            
            NVD: CVE-2018-11688

SOURCES
db:CNVDid:CNVD-2018-14347
db:JVNDBid:JVNDB-2018-006608
db:CNNVDid:CNNVD-201806-845
db:NVDid:CVE-2018-11688

LAST UPDATE DATE
2024-11-23T22:30:21.646000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-14347date:2018-08-01T00:00:00
db:JVNDBid:JVNDB-2018-006608date:2018-08-28T00:00:00
db:CNNVDid:CNNVD-201806-845date:2019-06-21T00:00:00
db:NVDid:CVE-2018-11688date:2024-11-21T03:43:49.573

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-14347date:2018-08-01T00:00:00
db:JVNDBid:JVNDB-2018-006608date:2018-08-28T00:00:00
db:CNNVDid:CNNVD-201806-845date:2018-06-14T00:00:00
db:NVDid:CVE-2018-11688date:2018-06-13T16:29:01.437