Vulnerability
Openfire, a Jabber portal assisted by Ignite Realtime. It is a Java application that works through many platforms. It is a network for small companies that allows them to monitor private communications and make immediate messaging more convenient. Versions of the Openfire Admin Console prior to 4.4.3 are subject to a full read SSRF flaw in the FaviconServlet. Unauthenticated attackers can exploit this flaw by sending arbitrary HTTP GET requests to the corporate network and obtaining full-sized outputs from the intended web services.
Mitigation / Precaution
- Update Openfire to the most recent patch (This problem was resolved in version 4.4.3).
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
