CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0217 – Debian Security Advisory 5047-1
https://notcve.org/view.php?id=CVE-2022-0217
28 Jan 2022 — It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). Se ha detectado que una biblioteca interna de Prosody para cargar XML basada en libexpat no restringe apropiadamente las... • https://bugzilla.redhat.com/show_bug.cgi?id=2040639 • CWE-611: Improper Restriction of XML External Entity Reference CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 5.9EPSS: 3%CPEs: 6EXPL: 0CVE-2021-32921 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32921
13 May 2021 — An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. Se detectó un problema en Prosody versiones anteriores a 0.11.9. No utiliza un algoritmo de tiempo constante para comparar determinadas cadenas secretas cuando se ejecuta bajo Lua versiones 5.2 o posteriores. • http://www.openwall.com/lists/oss-security/2021/05/13/1 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 3%CPEs: 5EXPL: 0CVE-2021-32920 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32920
13 May 2021 — Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Prosody versiones anteriores a 0.11.9, permite un Consumo No Controlado de CPU por medio de una avalancha de peticiones de renegociación SSL/TLS Multiple vulnerabilities have been found in Prosŏdy IM, the worst of which could result in a Denial of Service condition. Versions less than 0.11.9 are affected. • http://www.openwall.com/lists/oss-security/2021/05/13/1 •
CVSS: 7.5EPSS: 2%CPEs: 7EXPL: 0CVE-2021-32918 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32918
13 May 2021 — An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Se detectó un problema en Prosody versiones anteriores a 0.11.9. La configuración predeterminada es susceptible a ataques remotos de denegación de servicio (DoS) no autenticados por medio del agotamiento de la memoria cuando se ejecuta bajo Lua versiones 5.2 o Lua 5.3 Multiple vulnerabilities have been f... • http://www.openwall.com/lists/oss-security/2021/05/13/1 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 5%CPEs: 6EXPL: 0CVE-2021-32917 – Debian Security Advisory 4916-1
https://notcve.org/view.php?id=CVE-2021-32917
13 May 2021 — An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. Se detectó un problema en Prosody versiones anteriores a 0.11.9. El componente proxy65 permite un acceso abierto por defecto, incluso si ninguno de los usuarios tiene una cuenta XMPP en el servidor local, permitiendo el uso sin restricciones del ancho de banda del servidor Multipl... • http://www.openwall.com/lists/oss-security/2021/05/13/1 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10847 – Debian Security Advisory 4216-1
https://notcve.org/view.php?id=CVE-2018-10847
04 Jun 2018 — prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance. Prosody, en versiones anteriores a la 0.10.2 y 0.9.14, es vulnerable a una omisión de autenticación. Prosody no verificó que el host virtual asociado a una sesión de usuario se mantuviese ... • https://blog.prosody.im/prosody-0-10-2-security-release • CWE-287: Improper Authentication CWE-592: DEPRECATED: Authentication Bypass Issues •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2017-18265 – Debian Security Advisory 4198-1
https://notcve.org/view.php?id=CVE-2017-18265
09 May 2018 — Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module. Prosody en versiones anteriores a la 0.10.0 permite que atacantes remotos provoquen una denegación de servicio (cierre inesperado de la aplicación). Esto está relacionado con una inco... • https://bugs.debian.org/875829 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-0756 – Debian Security Advisory 3463-1
https://notcve.org/view.php?id=CVE-2016-0756
29 Jan 2016 — The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix. La función generate_dialback en el módulo mod_dialback en Prosody en versiones anteriores a 0.9.10 no separa campos correctamente cuando genera claves de devolución de llamada, lo que permite a atacantes remotos s... • http://blog.prosody.im/prosody-0-9-10-released • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2016-1232 – Debian Security Advisory 3439-1
https://notcve.org/view.php?id=CVE-2016-1232
11 Jan 2016 — The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack. El módulo mod_dialback en Prosody en versiones anteriores a 0.9.9 no genera adecuadamente valores aleatorios para para el token secreto en la autenticación de devolución de llamada de servidor a servidor, lo que hace que sea más fácil para atacantes suplantar servidores a trav... • http://blog.prosody.im/prosody-0-9-9-security-release •
CVSS: 7.8EPSS: 2%CPEs: 21EXPL: 2CVE-2014-2744 – Debian Security Advisory 2895-2
https://notcve.org/view.php?id=CVE-2014-2744
11 Apr 2014 — plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack. plugins/mod_compression.lua en (1) Prosody anterior a 0.9.4 y (2) Lightwitch Metronome hasta 3.4 negocia compresión de cadena mientras una sesión no está autenticada, lo que permite a atacantes ... • http://blog.prosody.im/prosody-0-9-4-released • CWE-20: Improper Input Validation •