6 results (0.003 seconds)

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption. ejabberd anterior a 2.1.13 no fuerza la configuración starttls_required cuando se utiliza la compresión, lo que causa que clientes establezcan conexiones sin codificación. • http://advisories.mageia.org/MGASA-2014-0417.html http://mail.jabber.org/pipermail/operators/2014-October/002438.html http://seclists.org/oss-sec/2014/q4/312 http://www.mandriva.com/security/advisories?name=MDVSA-2014:207 http://www.mandriva.com/security/advisories?name=MDVSA-2015:175 http://www.securityfocus.com/bid/70415 https://bugzilla.redhat.com/show_bug.cgi?id=1153839 https://github.com/processone/ejabberd/commit/7bdc1151b • CWE-310: Cryptographic Issues •

CVSS: 4.3EPSS: 0%CPEs: 32EXPL: 0

The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack. El controlador TLS en ejabberd anterior a 2.1.12 soporta (1) SSLv2 y (2) cifradores SSL débiles, lo que hace más fácil para atacantes remotos obtener información sensible a través de un ataque de fuerza bruta. • http://www.debian.org/security/2013/dsa-2775 https://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_2.1.12 • CWE-310: Cryptographic Issues •

CVSS: 5.0EPSS: 6%CPEs: 34EXPL: 0

expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. expat_erl.c en ejabberd v2.1.7 y v3.x antes de v3.0.0-alpha-3, y exmpp antes de v0.9.7, no detecta correctamente la recursividad durante la expansión de la entidad, lo que permite a atacantes remotos provocar una denegación de servicio ( la memoria y el consumo de CPU ) a través de un documento XML manipulado que contiene un gran número de referencias a entidades anidadas, un problema similar a CVE-2003-1564. • http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062099.html http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062145.html http://secunia.com/advisories/44765 http://secunia.com/advisories/44807 http://secunia.com/advisories/45120 http://www.debian.org/security/2011/dsa-2248 http://www.ejabberd.im/ejabberd-2.1.7 http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_2.1.7 http://www.securityfocus.com/bid/48072 https:/&#x • CWE-399: Resource Management Errors •

CVSS: 5.0EPSS: 8%CPEs: 22EXPL: 0

ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to cause a denial of service (daemon crash) via a large number of c2s (aka client2server) messages that trigger a queue overload. ejabberd_c2s.erl en ejabberd anterior v2.1.3, permite a atacantes remotos provocar una denegación de servicio(caída de demonio) a través de un gran número de mensajes de c2s(también conocido como client2server) que provocan una carga en la cola. • http://secunia.com/advisories/38337 http://secunia.com/advisories/39423 http://www.debian.org/security/2010/dsa-2033 http://www.openwall.com/lists/oss-security/2010/01/29/1 http://www.openwall.com/lists/oss-security/2010/01/29/5 http://www.osvdb.org/62066 http://www.securityfocus.com/bid/38003 http://www.vupen.com/english/advisories/2010/0894 https://exchange.xforce.ibmcloud.com/vulnerabilities/56025 https://support.process-one.net/browse/EJAB-1173 • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 17EXPL: 0

Cross-site scripting (XSS) vulnerability in ejabberd before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to links and MUC logs. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ejabberd anterior a v2.0.4 permite a atacantes inyectar secuencias de comandos web o HTML de su elección a través de vectores desconocidos relacionados con enlaces y MUC logs. • http://osvdb.org/52714 http://secunia.com/advisories/34340 http://secunia.com/advisories/34354 http://secunia.com/advisories/34781 http://www.debian.org/security/2009/dsa-1774 http://www.openwall.com/lists/oss-security/2009/03/16/1 http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_204 http://www.securityfocus.com/bid/34133 https://exchange.xforce.ibmcloud.com/vulnerabilities/49289 https://www.redhat.com/archives/fedora-package-announce/2009-March/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •