CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2020-12772
https://notcve.org/view.php?id=CVE-2020-12772
An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. A chat message can include an IMG element with a SRC attribute referencing an external host's IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request. This allows an attacker to collect these hashes, crack them, and potentially compromise the computer. (ROAR can be configured for automatic access. • https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20526
https://notcve.org/view.php?id=CVE-2019-20526
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter. Ignite Realtime Openfire versión 4.4.1, permite un ataque de tipo XSS por medio del parámetro password del archivo setup/setup-datasource-standard.jsp. • https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20525
https://notcve.org/view.php?id=CVE-2019-20525
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter. Ignite Realtime Openfire versión 4.4.1, permite un ataque de tipo XSS por medio del parámetro driver del archivo setup/setup-datasource-standard.jsp. • https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20527
https://notcve.org/view.php?id=CVE-2019-20527
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter. Ignite Realtime Openfire versión 4.4.1, permite un ataque de tipo XSS por medio del parámetro serverURL del archivo setup/setup-datasource-standard.jsp • https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-20528
https://notcve.org/view.php?id=CVE-2019-20528
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter. Ignite Realtime Openfire versión 4.4.1, permite un ataque de tipo XSS por medio del parámetro username del archivo setup/setup-datasource-standard.jsp. • https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •