CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-32917
https://notcve.org/view.php?id=CVE-2021-32917
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. Se detectó un problema en Prosody versiones anteriores a 0.11.9. El componente proxy65 permite un acceso abierto por defecto, incluso si ninguno de los usuarios tiene una cuenta XMPP en el servidor local, permitiendo el uso sin restricciones del ancho de banda del servidor • http://www.openwall.com/lists/oss-security/2021/05/13/1 http://www.openwall.com/lists/oss-security/2021/05/14/2 https://blog.prosody.im/prosody-0.11.9-released https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7 https://lists.fedoraproject.org& • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10847
https://notcve.org/view.php?id=CVE-2018-10847
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance. Prosody, en versiones anteriores a la 0.10.2 y 0.9.14, es vulnerable a una omisión de autenticación. Prosody no verificó que el host virtual asociado a una sesión de usuario se mantuviese igual durante los reinicios del flujo. • https://blog.prosody.im/prosody-0-10-2-security-release https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847 https://issues.prosody.im/1147 https://prosody.im/security/advisory_20180531 https://www.debian.org/security/2018/dsa-4216 • CWE-287: Improper Authentication CWE-592: DEPRECATED: Authentication Bypass Issues •