Bugzilla – Bug 948960
CVE-2015-7707: openfire multiple privilege escalation issues
Last modified: 2017-02-15 10:31:13 UTC
Courtesy bug from the SUSE Security team for a community maintained package server:messaging/openfire: Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. From https://igniterealtime.org/issues/browse/OF-941 Openfire 3.10.2 Cross Site Request Forgery https://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html Openfire 3.10.2 Cross Site Scripting https://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html Openfire 3.10.2 Privilege Escalation https://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html Openfire 3.10.2 Remote File Inclusion https://packetstormsecurity.com/files/133560/Openfire-3.10.2-Remote-File-Inclusion.html Openfire 3.10.2 Arbitrary File Upload https://packetstormsecurity.com/files/133561/Openfire-3.10.2-Arbitrary-File-Upload.html References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7707 http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html https://igniterealtime.org/issues/browse/OF-941 https://www.exploit-db.com/exploits/38190/
13.2 is out of support. And openfire is now 4.1.1