Openfire 3.10.2 CSRF Vulnerability (CVE-2015-6973)
Openfire 3.10.2 CSRF Vulnerability (CVE-2015-6973)
Release date:
Updated on:
Affected Systems:
Openfiler Openfiler 3.10.2
Description:
CVE (CAN) ID: CVE-2015-6973
Openfire is a real-time Collaboration Server authorized by Open Source Apache License.
Ignite Realtime Openfire 3.10.2 has multiple cross-site Request Forgery vulnerabilities that remote attackers can exploit to hijack administrator authentication requests and then update the password by sending a constructed request to the user-password.jsp, send a constructor request to the user-create.jsp to add users, send constructor requests to the server-props.jsp to edit server settings or disable server SSL, send constructor requests to the plugins/clientcontrol/permitted-clients.jsp, and add clients.
<* Source: hyp3rlinx
Link: http://www.securityfocus.com/archive/1/archive/1/536470/100/0/threaded
*>
Suggestion:
Vendor patch:
Openfiler
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.openfiler.com/
-------------------------------------- Split line --------------------------------------
Detailed installation process of Openfire in CentOS
Openfire server configuration notes based on Jabber/XMPP protocol in CentOS 5.4
Install Openfire on Ubuntu 12.04
Openfire solves Chinese garbled characters After MySQL database is used
Load Balancing for Openfire clusters using Nginx
-------------------------------------- Split line --------------------------------------
This article permanently updates the link address: