CVE-2019-20525
Description
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Openfire 4.4.1 contains a reflected XSS vulnerability in the setup-datasource-standard.jsp page via the driver parameter, allowing remote attackers to inject arbitrary JavaScript.
Vulnerability
Overview
Ignite Realtime Openfire version 4.4.1 is affected by a reflected cross-site scripting (XSS) vulnerability in the setup/setup-datasource-standard.jsp page. The driver POST parameter is not properly sanitized before being reflected back to the user, allowing an attacker to inject arbitrary HTML and JavaScript code [1][2].
Exploitation
This vulnerability can be exploited by sending a crafted request to the setup page with a malicious payload in the driver parameter. The attack does not require authentication, as the setup page is typically accessible without prior login. However, exploitation relies on social engineering to trick a user into clicking a crafted link or submitting a malicious form, as the XSS is reflected and not stored [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This could lead to session hijacking, defacement of the setup interface, or redirection to malicious sites. The CVSS v3.0 score is 6.1 (Medium), with network attack vector, low complexity, and no privileges required, but user interaction is needed [1][2].
Mitigation
The vendor addressed this issue in a subsequent release; the advisory from Netsparker (now Invicti) indicates that the fix was implemented on 25 September 2019 [2]. Users should upgrade to Openfire version 4.4.2 or later to remediate the vulnerability.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.igniterealtime.openfire:parentMaven | < 4.4.2 | 4.4.2 |
Affected products
2- Ignite Realtime/Openfiredescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-h2mq-p9r5-wh94ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-20525ghsaADVISORY
- www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfireghsaWEB
- www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.