Medium severity4.8NVD Advisory· Published Oct 26, 2017· Updated May 13, 2026

CVE-2017-15911

Description

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.igniterealtime.openfire:parentMaven	< 4.1.7	4.1.7

Affected products

Igniterealtime/Openfire
cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*
Range: <=4.1.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.htmlnvdIssue TrackingThird Party AdvisoryWEB
github.com/advisories/GHSA-v3h2-4j2r-wqj8ghsaADVISORY
issues.igniterealtime.org/browse/OF-1417nvdIssue TrackingVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-15911ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000