CVE-2019-20366
Description
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Openfire 4.4.4 via isTrustStore parameter in Manage Store Contents allows arbitrary script injection.
Root
Cause An XSS vulnerability was identified in Ignite Realtime Openfire version 4.4.4, specifically in the Manage Store Contents functionality. The isTrustStore parameter was not properly sanitized before being rendered in the admin console, allowing attackers to inject arbitrary HTML and JavaScript [1][2].
Exploitation
An attacker can exploit this by crafting a malicious URL containing a specially crafted isTrustStore value. If an authenticated admin user clicks the link, the injected script executes within the admin's session. No authentication is required for the attacker to craft the URL, but victim interaction (clicking) is necessary [4].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the admin console, potentially leading to session hijacking, administrative actions performed on behalf of the victim, or theft of sensitive data.
Mitigation
The issue was fixed in a subsequent commit [4] and merged via pull request [1]. Users are advised to upgrade to a patched version (4.4.5 or later) or apply the provided patch. No workaround is available without upgrading.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.igniterealtime.openfire:parentMaven | < 4.5.0 | 4.5.0 |
Affected products
2- Ignite Realtime/Openfiredescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-m6pr-xcrm-4qqpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-20366ghsaADVISORY
- cybersecurityworks.com/zerodays/cve-2019-20366-openfire.htmlghsax_refsource_MISCWEB
- github.com/igniterealtime/Openfire/commit/fef55d4be50da8f66f468d9e7d822528acb8273dghsaWEB
- github.com/igniterealtime/Openfire/pull/1561ghsax_refsource_MISCWEB
- issues.igniterealtime.org/browse/OF-1955ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.