CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15911
https://notcve.org/view.php?id=CVE-2017-15911
26 Oct 2017 — The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application. La consola de administrador en Ignite Realtime Openfire Server en versiones anteriores... • https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 4%CPEs: 1EXPL: 3CVE-2015-7707 – Openfire 3.10.2 - Privilege Escalation
https://notcve.org/view.php?id=CVE-2015-7707
15 Sep 2015 — Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. Ignite Realtime Openfire 3.10.2 permite a usuarios remotos autenticados obtener acceso de administrador a través del parametro isadmin en user-edit-form.jsp. Multiple vulnerabilities have been found in Openfire, the worst of which could lead to privilege escalation. Versions less than 4.1.0 are affected. • https://packetstorm.news/files/id/133559 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 6%CPEs: 1EXPL: 3CVE-2015-6972 – Openfire 3.10.2 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-6972
15 Sep 2015 — Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp. Múltiples vulnerabilidades de XSS en Ignite Realtime Openfire 3.10.2, permite a atacantes remotos iny... • https://packetstorm.news/files/id/133558 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 14%CPEs: 1EXPL: 2CVE-2015-6973 – Openfire 3.10.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-6973
14 Sep 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp. Múltiples vulnerab... • https://packetstorm.news/files/id/133554 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2014-3451 – OpenFire XMPP 3.9.3 Certificate Handling
https://notcve.org/view.php?id=CVE-2014-3451
24 Apr 2015 — OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks. OpenFire XMPP Server en versiones anteriores a la 3.10 acepta certificados autofirmados, lo que permite que atacantes remotos realicen ataques de spoofing sin especificar. OpenFire XMPP versions 3.9.3 and below incorrectly accepts self-signed certificates potentially allowing for spoofing attacks. • http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 4%CPEs: 1EXPL: 0CVE-2014-2741 – Gentoo Linux Security Advisory 201406-35
https://notcve.org/view.php?id=CVE-2014-2741
11 Apr 2014 — nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. El archivo nio/XMLLightweightParser.java en Ignite Realtime Openfire anterior a versión 3.9.2, no restringe apropiadamente el procesamiento de elementos XML comprimidos, lo que permite a los atacantes remotos causar una denegación de se... • http://community.igniterealtime.org/thread/52317 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 7%CPEs: 29EXPL: 4CVE-2009-1595 – Openfire 3.x - jabber:iq:auth 'passwd_change' Remote Password Change
https://notcve.org/view.php?id=CVE-2009-1595
11 May 2009 — The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action. La implementación jabber:iq:auth en IQAuthHandler.java de Ignite Realtime Openfire v3.6.5 permite a usuarios remotos autenticados cambiar las contraseñas de cuentas de usuario de su elección a través de un elemento "username" (nombre de usuario) modificado en la acción passwd... • https://www.exploit-db.com/exploits/32967 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2009-1596 – Gentoo Linux Security Advisory 201406-35
https://notcve.org/view.php?id=CVE-2009-1596
11 May 2009 — Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet. Ignite Realtime Openfire antes de v3.6.5 no implementa correctamente la propiedad de configuración de la consola register.password (alias canChangePassword), lo que permite eludir la política de seguridad a usuarios remotos autenticados, así... • http://secunia.com/advisories/34984 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 3%CPEs: 25EXPL: 3CVE-2008-6509 – Openfire Server 3.6.0a - Authentication Bypass / SQL Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-6509
23 Mar 2009 — SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp. Vulnerabilidad de inyección de SQL en CallLogDAO en el complemento SIP para Openfire 3.6.0a y anteriores permite a atacantes remotos ejecutar comandos SQL a través del parámetro tipo (type) de sipark-log-summary.jsp. • https://www.exploit-db.com/exploits/7075 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 3%CPEs: 25EXPL: 3CVE-2008-6510 – Openfire Server 3.6.0a - Authentication Bypass / SQL Injection / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-6510
23 Mar 2009 — Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter. Una vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en login.jsp en la Consola de Administración de Openfire 3.6.0a y anteriores permite a atacantes remotos inyectar HTML o scripts web arbitrarios a través del parámetro URL. • https://www.exploit-db.com/exploits/7075 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •