CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0217 – Debian Security Advisory 5047-1
https://notcve.org/view.php?id=CVE-2022-0217
28 Jan 2022 — It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). Se ha detectado que una biblioteca interna de Prosody para cargar XML basada en libexpat no restringe apropiadamente las... • https://bugzilla.redhat.com/show_bug.cgi?id=2040639 • CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-37601
https://notcve.org/view.php?id=CVE-2021-37601
28 Jul 2021 — muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations. El archivo muc.lib.lua en Prosody versiones 0.11.0 hasta 0.11.9, permite a atacantes remotos obtener información confidencial (lista de administradores, miembros, propietarios y entidades prohibidas de una sala de chat multiusuario) en algunas configuraciones comunes • http://www.openwall.com/lists/oss-security/2021/07/28/4 •
CVSS: 5.9EPSS: 3%CPEs: 6EXPL: 0CVE-2021-32921 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32921
13 May 2021 — An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. Se detectó un problema en Prosody versiones anteriores a 0.11.9. No utiliza un algoritmo de tiempo constante para comparar determinadas cadenas secretas cuando se ejecuta bajo Lua versiones 5.2 o posteriores. • http://www.openwall.com/lists/oss-security/2021/05/13/1 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 3%CPEs: 5EXPL: 0CVE-2021-32920 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32920
13 May 2021 — Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Prosody versiones anteriores a 0.11.9, permite un Consumo No Controlado de CPU por medio de una avalancha de peticiones de renegociación SSL/TLS Multiple vulnerabilities have been found in Prosŏdy IM, the worst of which could result in a Denial of Service condition. Versions less than 0.11.9 are affected. • http://www.openwall.com/lists/oss-security/2021/05/13/1 •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-32919 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32919
13 May 2021 — An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled). Se detectó un problema en Prosody versiones anteriores a 0.11.9. La opción no documentada dialback_without_dialback en la función mod_dialback habilita una funcionalidad exp... • http://www.openwall.com/lists/oss-security/2021/05/13/1 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 2%CPEs: 7EXPL: 0CVE-2021-32918 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32918
13 May 2021 — An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Se detectó un problema en Prosody versiones anteriores a 0.11.9. La configuración predeterminada es susceptible a ataques remotos de denegación de servicio (DoS) no autenticados por medio del agotamiento de la memoria cuando se ejecuta bajo Lua versiones 5.2 o Lua 5.3 Multiple vulnerabilities have been f... • http://www.openwall.com/lists/oss-security/2021/05/13/1 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 5%CPEs: 6EXPL: 0CVE-2021-32917 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32917
13 May 2021 — An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. Se detectó un problema en Prosody versiones anteriores a 0.11.9. El componente proxy65 permite un acceso abierto por defecto, incluso si ninguno de los usuarios tiene una cuenta XMPP en el servidor local, permitiendo el uso sin restricciones del ancho de banda del servidor Multipl... • http://www.openwall.com/lists/oss-security/2021/05/13/1 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10847 – Debian Security Advisory 4216-1
https://notcve.org/view.php?id=CVE-2018-10847
04 Jun 2018 — prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance. Prosody, en versiones anteriores a la 0.10.2 y 0.9.14, es vulnerable a una omisión de autenticación. Prosody no verificó que el host virtual asociado a una sesión de usuario se mantuviese ... • https://blog.prosody.im/prosody-0-10-2-security-release • CWE-287: Improper Authentication CWE-592: DEPRECATED: Authentication Bypass Issues •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2017-18265 – Debian Security Advisory 4198-1
https://notcve.org/view.php?id=CVE-2017-18265
09 May 2018 — Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module. Prosody en versiones anteriores a la 0.10.0 permite que atacantes remotos provoquen una denegación de servicio (cierre inesperado de la aplicación). Esto está relacionado con una inco... • https://bugs.debian.org/875829 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-0756 – Debian Security Advisory 3463-1
https://notcve.org/view.php?id=CVE-2016-0756
29 Jan 2016 — The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix. La función generate_dialback en el módulo mod_dialback en Prosody en versiones anteriores a 0.9.10 no separa campos correctamente cuando genera claves de devolución de llamada, lo que permite a atacantes remotos s... • http://blog.prosody.im/prosody-0-9-10-released • CWE-20: Improper Input Validation •