CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15911
https://notcve.org/view.php?id=CVE-2017-15911
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application. La consola de administrador en Ignite Realtime Openfire Server en versiones anteriores a la 4.1.7 permite la ejecución arbitraria de código JavaScript del lado del cliente en víctimas que hagan clic en un enlace setup/setup-host-settings.jsp? • https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html https://issues.igniterealtime.org/browse/OF-1417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3451
https://notcve.org/view.php?id=CVE-2014-3451
OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks. OpenFire XMPP Server en versiones anteriores a la 3.10 acepta certificados autofirmados, lo que permite que atacantes remotos realicen ataques de spoofing sin especificar. • http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html http://www.openwall.com/lists/oss-security/2015/04/23/16 http://www.securityfocus.com/archive/1/535363/100/1100/threaded http://www.securityfocus.com/bid/74305 https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2014-2741
https://notcve.org/view.php?id=CVE-2014-2741
nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. El archivo nio/XMLLightweightParser.java en Ignite Realtime Openfire anterior a versión 3.9.2, no restringe apropiadamente el procesamiento de elementos XML comprimidos, lo que permite a los atacantes remotos causar una denegación de servicio (consumo de recursos) por medio de una secuencia XMPP diseñada, también conocido como ataque "xmppbomb" . • http://community.igniterealtime.org/thread/52317 http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77 http://openwall.com/lists/oss-security/2014/04/07/7 http://openwall.com/lists/oss-security/2014/04/09/1 http://www.kb.cert.org/vuls/id/495476 http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas • CWE-264: Permissions, Privileges, and Access Controls •