Medium severity4.8NVD Advisory· Published Oct 26, 2017· Updated Jun 17, 2026
CVE-2017-15911
CVE-2017-15911
Description
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.igniterealtime.openfire:parentMaven | < 4.1.7 | 4.1.7 |
Affected products
2Patches
Vulnerability mechanics
References
4- becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.htmlnvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-v3h2-4j2r-wqj8ghsaADVISORY
- issues.igniterealtime.org/browse/OF-1417nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-15911ghsaADVISORY
News mentions
0No linked articles in our index yet.