CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25420
https://notcve.org/view.php?id=CVE-2024-25420
26 Mar 2024 — An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component. Un problema en Ignite Realtime Openfire v.4.9.0 y anteriores permite a un atacante remoto escalar privilegios a través del componente de propiedad del sistema admin.authorizedJIDs. • https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.java • CWE-273: Improper Check for Dropped Privileges •
CVSS: 8.6EPSS: 94%CPEs: 2EXPL: 13CVE-2023-32315 – Ignite Realtime Openfire Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2023-32315
26 May 2023 — Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been... • https://packetstorm.news/files/id/173607 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 80%CPEs: 3EXPL: 2CVE-2021-45967
https://notcve.org/view.php?id=CVE-2021-45967
18 Mar 2022 — An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints. Se ha detectado un problema en Pascom Cloud Phone System versiones anteriores a 7.20.x. Un error de configuración entre NGINX y un servidor Tomcat backend conlleva a un salto de ruta en el servidor Tomcat, exponiendo endpoints no deseados • https://kerbit.io/research/read/blog/4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35199
https://notcve.org/view.php?id=CVE-2020-35199
12 Dec 2020 — Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS. Ignite Realtime Openfire versión 4.6.0, presenta un XSS almacenado en el parámetro groupchatJID del archivo create-bookmark.jsp • https://www.exploit-db.com/exploits/49233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35200
https://notcve.org/view.php?id=CVE-2020-35200
12 Dec 2020 — Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS. Ignite Realtime Openfire versión 4.6.0, presenta una vulnerabilidad de tipo XSS Reflexivo en el archivo plugins/clientcontrol/spark-form.jsp • https://discourse.igniterealtime.org/t/openfire-4-6-0-has-reflective-xss-vulnerabilities/89296 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35202
https://notcve.org/view.php?id=CVE-2020-35202
12 Dec 2020 — Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS. Ignite Realtime Openfire versión 4.6.0, presenta una vulnerabilidad de tipo XXS Almacenado en el archivo sql plugins/dbaccess/db-access.jsp • https://www.exploit-db.com/exploits/49235 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35201
https://notcve.org/view.php?id=CVE-2020-35201
12 Dec 2020 — Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS. Ignite Realtime Openfire versión 4.6.0, presenta una vulnerabilidad de tipo XSS Almacenado en los usuarios del archivo create-bookmark.jsp • https://www.exploit-db.com/exploits/49234 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35127
https://notcve.org/view.php?id=CVE-2020-35127
11 Dec 2020 — Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS. Ignite Realtime Openfire versión 4.6.0, presenta una vulnerabilidad de tipo XSS Almacenado del archivo plugins/bookmarks/createbookmark.jsp • https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24601
https://notcve.org/view.php?id=CVE-2020-24601
02 Sep 2020 — In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted page En Ignite Realtime Openfire versión 4.5.1, una vulnerabilidad de tipo Cross-site Almacenado permite a un atacante ejecutar una URL maliciosa arbitraria por medio del parámetro POST vulnerable "searchName", "alias" en la página import certificate trusted • https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2020-24604
https://notcve.org/view.php?id=CVE-2020-24604
02 Sep 2020 — A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp Se detectó una vulnerabilidad de tipo XSS Reflejado en Ignite Realtime Openfire versión 4.5.1. La vulnerabilidad de tipo XSS permite... • https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •