{"id":"CVE-2018-11688","details":"Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.","aliases":["GHSA-jphj-5g3m-w7x6"],"modified":"2026-04-10T04:04:37.663027Z","published":"2018-06-13T16:29:01.437Z","references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2018/Jun/24"},{"type":"WEB","url":"https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2"},{"type":"ADVISORY","url":"http://www.securityfocus.com/archive/1/542060/100/0/threaded"},{"type":"FIX","url":"https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a"},{"type":"EVIDENCE","url":"https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2018/Jun/13"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/igniterealtime/openfire","events":[{"introduced":"0"},{"last_affected":"3acbbf9a9885e81326ba83db26473608f2adc094"},{"fixed":"ed3492a24274fd454afe93a499db49f3d6335108"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.7.1"}]}}],"versions":["attic/origin/master","attic/trunk","v3.7.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11688.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}