CVSS: 5.3EPSS: 83%CPEs: 1EXPL: 0CVE-2019-18393
https://notcve.org/view.php?id=CVE-2019-18393
24 Oct 2019 — PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. El archivo PluginServlet.java en Ignite Realtime Openfire versiones hasta 4.4.2, no garantiza que los archivos recuperados se encuentren en el directorio de inicio de Openfire, también se conoce como una vulnerabilidad de salto de directorio. • https://github.com/igniterealtime/Openfire/pull/1498 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15488
https://notcve.org/view.php?id=CVE-2019-15488
23 Aug 2019 — Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. Ignite Realtime Openfire anterior de la versión 4.4.1 ha reflejado XSS a través de una prueba de configuración LDAP. • https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 4CVE-2018-11688 – Ignite Realtime Openfire 3.7.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-11688
05 Jun 2018 — Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. Ignite Realtime Openfire 3.7.1 es vulnerable a las secuencias de comandos entre sitios... • https://packetstorm.news/files/id/148057 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15911
https://notcve.org/view.php?id=CVE-2017-15911
26 Oct 2017 — The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application. La consola de administrador en Ignite Realtime Openfire Server en versiones anteriores... • https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 4%CPEs: 1EXPL: 3CVE-2015-7707 – Openfire 3.10.2 - Privilege Escalation
https://notcve.org/view.php?id=CVE-2015-7707
15 Sep 2015 — Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. Ignite Realtime Openfire 3.10.2 permite a usuarios remotos autenticados obtener acceso de administrador a través del parametro isadmin en user-edit-form.jsp. Multiple vulnerabilities have been found in Openfire, the worst of which could lead to privilege escalation. Versions less than 4.1.0 are affected. • https://packetstorm.news/files/id/133559 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 6%CPEs: 1EXPL: 3CVE-2015-6972 – Openfire 3.10.2 - Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-6972
15 Sep 2015 — Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp. Múltiples vulnerabilidades de XSS en Ignite Realtime Openfire 3.10.2, permite a atacantes remotos iny... • https://packetstorm.news/files/id/133558 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 14%CPEs: 1EXPL: 2CVE-2015-6973 – Openfire 3.10.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-6973
14 Sep 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp. Múltiples vulnerab... • https://packetstorm.news/files/id/133554 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2014-3451 – OpenFire XMPP 3.9.3 Certificate Handling
https://notcve.org/view.php?id=CVE-2014-3451
24 Apr 2015 — OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks. OpenFire XMPP Server en versiones anteriores a la 3.10 acepta certificados autofirmados, lo que permite que atacantes remotos realicen ataques de spoofing sin especificar. OpenFire XMPP versions 3.9.3 and below incorrectly accepts self-signed certificates potentially allowing for spoofing attacks. • http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 4%CPEs: 1EXPL: 0CVE-2014-2741 – Gentoo Linux Security Advisory 201406-35
https://notcve.org/view.php?id=CVE-2014-2741
11 Apr 2014 — nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. El archivo nio/XMLLightweightParser.java en Ignite Realtime Openfire anterior a versión 3.9.2, no restringe apropiadamente el procesamiento de elementos XML comprimidos, lo que permite a los atacantes remotos causar una denegación de se... • http://community.igniterealtime.org/thread/52317 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 7%CPEs: 29EXPL: 4CVE-2009-1595 – Openfire 3.x - jabber:iq:auth 'passwd_change' Remote Password Change
https://notcve.org/view.php?id=CVE-2009-1595
11 May 2009 — The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action. La implementación jabber:iq:auth en IQAuthHandler.java de Ignite Realtime Openfire v3.6.5 permite a usuarios remotos autenticados cambiar las contraseñas de cuentas de usuario de su elección a través de un elemento "username" (nombre de usuario) modificado en la acción passwd... • https://www.exploit-db.com/exploits/32967 • CWE-287: Improper Authentication •