Openfire Path Traversal

high Web App Scanning Plugin ID 114197

Synopsis

Openfire Path Traversal

Description

Openfire version >= 3.10.0 < 4.6.8, 4.7.x < 4.7.5 suffer from a Path traversal allowing an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.

Solution

Upgrade to Openfire version 4.6.8, 4.7.5 or later.

See Also

https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm

https://igniterealtime.atlassian.net/browse/OF-2595

Plugin Details

Severity: High

ID: 114197

Type: remote

Published: 2/7/2024

Updated: 2/7/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.2

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-32315

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: CVE-2023-32315

Vulnerability Information

CPE: cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/23/2019

Vulnerability Publication Date: 5/9/2023

CISA Known Exploited Vulnerability Due Dates: 9/14/2023

Reference Information

CVE: CVE-2023-32315