CVE-2019-18394
published 2019-10-24CVE-2019-18394: A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
32.30%
98.1th percentile
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| igniterealtime | openfire | <= 4.4.2 | — |
| pascom | cloud_phone_system | <= 7.19 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/getFavicon?host=oast.fun?
domainoast.fun
path/getFavicon
- →The vulnerable endpoint is /getFavicon with a `host` parameter; send a GET request with an out-of-band callback domain as the host value and look for an HTTP interaction on the OAST server to confirm SSRF.
- →A successful SSRF exploitation returns HTTP 200 with Content-Type image/x-icon and a body containing 'Interactsh Server'.
- →Identify exposed Openfire Admin Console instances via Shodan queries on http.title to prioritise scanning targets.
- →The vulnerability is unauthenticated (PR:N, UI:N) and affects Openfire <=4.4.3; any internet-facing Openfire instance on that version should be treated as exploitable without credentials.
- →The same SSRF primitive exists in the XMPP Server component (xmppserver jar) of the Jive platform as used in Pascom Cloud Phone System before 7.20.x — monitor backend Tomcat traffic for unexpected outbound requests originating from the /getFavicon handler. ↗
- ·The OAST domain 'oast.fun' used in the nuclei template is the Interactsh public server; replace it with a privately controlled out-of-band server in production testing to avoid leaking target information.
- ·The trailing '?' appended after the OAST domain in the host parameter is intentional to truncate any additional path appended by the server, ensuring the callback goes to the root of the OOB host.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Ignite Realtime Openfire vulnerable to Server Side Request Forgery
ghsa·2022-05-24
CVE-2019-18394 [CRITICAL] CWE-918 Ignite Realtime Openfire vulnerable to Server Side Request Forgery
Ignite Realtime Openfire vulnerable to Server Side Request Forgery
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. The issue is fixed in version 4.5.0-beta.
OSV
Ignite Realtime Openfire vulnerable to Server Side Request Forgery
osv·2022-05-24
CVE-2019-18394 [CRITICAL] Ignite Realtime Openfire vulnerable to Server Side Request Forgery
Ignite Realtime Openfire vulnerable to Server Side Request Forgery
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. The issue is fixed in version 4.5.0-beta.
GHSA
GHSA-x28m-8977-r45c: An issue was discovered in xmppserver jar in the XMPP Server component of the JIve platform, as used in Pascom Cloud Phone System before 7
ghsa_unreviewed·2022-03-19·CVSS 9.8
CVE-2021-45968 [CRITICAL] CWE-22 GHSA-x28m-8977-r45c: An issue was discovered in xmppserver jar in the XMPP Server component of the JIve platform, as used in Pascom Cloud Phone System before 7
An issue was discovered in xmppserver jar in the XMPP Server component of the JIve platform, as used in Pascom Cloud Phone System before 7.20.x (and in other products). An endpoint in the backend Tomcat server of the Pascom allows SSRF, a related issue to CVE-2019-18394.
VulnCheck
Ignite Realtime Openfire Server-Side Request Forgery (SSRF)
vulncheck·2019·CVSS 9.8
CVE-2019-18394 [CRITICAL] Ignite Realtime Openfire Server-Side Request Forgery (SSRF)
Ignite Realtime Openfire Server-Side Request Forgery (SSRF)
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
Affected: Ignite Realtime Openfire
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2019-18394; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2019-18394; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-1
No detection rules found.
Nuclei
Ignite Realtime Openfire <=4.4.2 - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2019-18394 [CRITICAL] Ignite Realtime Openfire <=4.4.2 - Server-Side Request Forgery
Ignite Realtime Openfire =4.4.3) to fix this vulnerability.
reference:
- https://swarm.ptsecurity.com/openfire-admin-console/
- https://github.com/igniterealtime/Openfire/pull/1497
- https://github.com/sobinge/nuclei-templates
- https://github.com/ARPSyndicate/kenzer-templates
- https://nvd.nist.gov/vuln/detail/CVE-2019-18394
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-18394
cwe-id: CWE-918
epss-score: 0.9388
epss-percentile: 0.99872
cpe: cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*
metadata:
max-request: 1
verified: true
vendor: igniterealtime
product: openfire
shodan-query:
- http.title:"openfire admin console"
- http.title:"openfire"
fofa-query:
- title="openfire"
- title="openfire admin console"
google-query:
- intitl
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2019-10-24
Published
Exploited in the wild