CVE-2020-36956
Unknown Unknown - Not Provided
Stored XSS in Openfire 4.6.0 Nodejs Plugin Risks Admin Accounts

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: VulnCheck

Description
Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-14
NVD
CVE-2020-36956
EUVD
EUVD-2020-30850
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
igniterealtime openfire 4.6.0
igniterealtime openfire to 4.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) flaw in Openfire version 4.6.0, specifically in the nodejs plugin. It occurs because the 'path' parameter is not properly sanitized, allowing attackers to inject malicious JavaScript code. When an administrative user views the nodejs configuration page, the injected script executes in their browser context, potentially leading to unauthorized actions such as stealing cookies or performing other malicious activities. [1, 2]

Impact Analysis

The impact of this vulnerability is that an attacker can execute arbitrary JavaScript code in the browser of an administrative user who views the affected nodejs configuration page. This can lead to theft of sensitive information like session cookies, unauthorized actions performed with administrative privileges, and potentially further compromise of the system or user accounts. [1, 2]

Detection Guidance

This vulnerability can be detected by sending crafted HTTP POST requests to the endpoint /plugins/nodejs/nodejs.jsp with the 'path' parameter containing script tags payloads, such as "><ScRiPt>alert(document.cookie)</ScRiPt>". Monitoring HTTP traffic for such suspicious POST requests targeting the 'path' parameter in the nodejs plugin can help detect exploitation attempts. A sample command using curl to test the vulnerability is: curl -X POST -d 'path="><ScRiPt>alert(document.cookie)</ScRiPt>' http://<target>/plugins/nodejs/nodejs.jsp If the response or subsequent admin page execution triggers the script, the system is vulnerable. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the nodejs plugin configuration page to trusted administrative users only, applying input validation or sanitization on the 'path' parameter to prevent script injection, and monitoring for suspicious POST requests targeting the vulnerable endpoint. Additionally, upgrading Openfire to a version later than 4.6.0 where this vulnerability is fixed or disabling the nodejs plugin if not required can help mitigate the risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart