A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
Recent assessments:
ericalexanderorg at August 04, 2020 4:42pm UTC reported:
More detail
<https://swarm.ptsecurity.com/openfire-admin-console/>
Stupid easy SSRF
> /getFavicon?host=192.168.176.1:8080/secrets.txt?
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5