CVE-2020-36956
Stored XSS in Openfire 4.6.0 Nodejs Plugin Risks Admin Accounts
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| igniterealtime | openfire | 4.6.0 |
| igniterealtime | openfire | to 4.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) flaw in Openfire version 4.6.0, specifically in the nodejs plugin. It occurs because the 'path' parameter is not properly sanitized, allowing attackers to inject malicious JavaScript code. When an administrative user views the nodejs configuration page, the injected script executes in their browser context, potentially leading to unauthorized actions such as stealing cookies or performing other malicious activities. [1, 2]
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can execute arbitrary JavaScript code in the browser of an administrative user who views the affected nodejs configuration page. This can lead to theft of sensitive information like session cookies, unauthorized actions performed with administrative privileges, and potentially further compromise of the system or user accounts. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP POST requests to the endpoint /plugins/nodejs/nodejs.jsp with the 'path' parameter containing script tags payloads, such as "><ScRiPt>alert(document.cookie)</ScRiPt>". Monitoring HTTP traffic for such suspicious POST requests targeting the 'path' parameter in the nodejs plugin can help detect exploitation attempts. A sample command using curl to test the vulnerability is: curl -X POST -d 'path="><ScRiPt>alert(document.cookie)</ScRiPt>' http://<target>/plugins/nodejs/nodejs.jsp If the response or subsequent admin page execution triggers the script, the system is vulnerable. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the nodejs plugin configuration page to trusted administrative users only, applying input validation or sanitization on the 'path' parameter to prevent script injection, and monitoring for suspicious POST requests targeting the vulnerable endpoint. Additionally, upgrading Openfire to a version later than 4.6.0 where this vulnerability is fixed or disabling the nodejs plugin if not required can help mitigate the risk. [2]