Vulnerabilites related to igniterealtime - openfire
CVE-2008-6510 (GCVE-0-2008-6510)
Vulnerability from cvelistv5
Published
2009-03-23 19:26
Modified
2024-08-07 11:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/7075 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt | x_refsource_MISC | |
| http://www.igniterealtime.org/issues/browse/JM-629 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46486 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/32189 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/498162/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.vupen.com/english/advisories/2008/3061 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:34:47.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "7075",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-629"
},
{
"name": "openfire-url-xss(46486)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46486"
},
{
"name": "32189",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "ADV-2008-3061",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-11-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "7075",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-629"
},
{
"name": "openfire-url-xss(46486)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46486"
},
{
"name": "32189",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "ADV-2008-3061",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6510",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "7075",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"name": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt",
"refsource": "MISC",
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"name": "http://www.igniterealtime.org/issues/browse/JM-629",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/issues/browse/JM-629"
},
{
"name": "openfire-url-xss(46486)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46486"
},
{
"name": "32189",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "ADV-2008-3061",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6510",
"datePublished": "2009-03-23T19:26:00",
"dateReserved": "2009-03-23T00:00:00",
"dateUpdated": "2024-08-07T11:34:47.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-11688 (GCVE-0-2018-11688)
Vulnerability from cvelistv5
Published
2018-06-13 16:00
Modified
2024-08-05 08:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2018/Jun/13 | mailing-list, x_refsource_FULLDISC | |
| https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/542060/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://seclists.org/fulldisclosure/2018/Jun/24 | mailing-list, x_refsource_FULLDISC | |
| https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2 | x_refsource_CONFIRM | |
| https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T08:17:08.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20180605 Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2018/Jun/13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html"
},
{
"name": "20180605 Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/542060/100/0/threaded"
},
{
"name": "20180608 Re: Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2018/Jun/24"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-06-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim\u0027s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim\u0027s cookie-based authentication credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-19T23:34:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20180605 Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2018/Jun/13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html"
},
{
"name": "20180605 Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/542060/100/0/threaded"
},
{
"name": "20180608 Re: Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2018/Jun/24"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-11688",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim\u0027s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim\u0027s cookie-based authentication credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20180605 Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2018/Jun/13"
},
{
"name": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688",
"refsource": "MISC",
"url": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688"
},
{
"name": "http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html"
},
{
"name": "20180605 Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/542060/100/0/threaded"
},
{
"name": "20180608 Re: Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2018/Jun/24"
},
{
"name": "https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2",
"refsource": "CONFIRM",
"url": "https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2"
},
{
"name": "https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a",
"refsource": "CONFIRM",
"url": "https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-11688",
"datePublished": "2018-06-13T16:00:00",
"dateReserved": "2018-06-03T00:00:00",
"dateUpdated": "2024-08-05T08:17:08.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20525 (GCVE-0-2019-20525)
Vulnerability from cvelistv5
Published
2020-03-19 17:56
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:10.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:56:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"x_ConverterErrors": {
"cvssV3_0": {
"error": "CVSSV3_0 data from v4 record is invalid",
"message": "Missing mandatory metrics \"AV\""
}
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20525",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20525",
"datePublished": "2020-03-19T17:56:30",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:10.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24602 (GCVE-0-2020-24602)
Vulnerability from cvelistv5
Published
2020-09-02 14:37
Modified
2024-08-04 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in the Server Properties and Security Audit Viewer JSP page
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.igniterealtime.org/browse/OF-1963 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:08.526Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName\", \"searchValue\", \"searchDescription\", \"searchDefaultValue\",\"searchPlugin\", \"searchDescription\" and \"searchDynamic\" in the Server Properties and Security Audit Viewer JSP page"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T19:34:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24602",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName\", \"searchValue\", \"searchDescription\", \"searchDefaultValue\",\"searchPlugin\", \"searchDescription\" and \"searchDynamic\" in the Server Properties and Security Audit Viewer JSP page"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.igniterealtime.org/browse/OF-1963",
"refsource": "MISC",
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24602",
"datePublished": "2020-09-02T14:37:26",
"dateReserved": "2020-08-24T00:00:00",
"dateUpdated": "2024-08-04T15:19:08.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20526 (GCVE-0-2019-20526)
Vulnerability from cvelistv5
Published
2020-03-19 17:56
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.715Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T17:56:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"x_ConverterErrors": {
"cvssV3_0": {
"error": "CVSSV3_0 data from v4 record is invalid",
"message": "Missing mandatory metrics \"AV\""
}
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20526",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20526",
"datePublished": "2020-03-19T17:56:48",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24604 (GCVE-0-2020-24604)
Vulnerability from cvelistv5
Published
2020-09-02 14:40
Modified
2024-08-04 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.igniterealtime.org/browse/OF-1963 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:09.297Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request \"searchName\", \"searchValue\", \"searchDescription\", \"searchDefaultValue\",\"searchPlugin\", \"searchDescription\" and \"searchDynamic\" in server-properties.jsp and security-audit-viewer.jsp"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-28T19:33:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request \"searchName\", \"searchValue\", \"searchDescription\", \"searchDefaultValue\",\"searchPlugin\", \"searchDescription\" and \"searchDynamic\" in server-properties.jsp and security-audit-viewer.jsp"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.igniterealtime.org/browse/OF-1963",
"refsource": "MISC",
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24604",
"datePublished": "2020-09-02T14:40:05",
"dateReserved": "2020-08-24T00:00:00",
"dateUpdated": "2024-08-04T15:19:09.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18393 (GCVE-0-2019-18393)
Vulnerability from cvelistv5
Published
2019-10-24 10:58
Modified
2024-08-05 01:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/igniterealtime/Openfire/pull/1498 | x_refsource_MISC | |
| https://swarm.ptsecurity.com/openfire-admin-console/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:54:14.170Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1498"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-07T00:49:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1498"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18393",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/igniterealtime/Openfire/pull/1498",
"refsource": "MISC",
"url": "https://github.com/igniterealtime/Openfire/pull/1498"
},
{
"name": "https://swarm.ptsecurity.com/openfire-admin-console/",
"refsource": "MISC",
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18393",
"datePublished": "2019-10-24T10:58:18",
"dateReserved": "2019-10-24T00:00:00",
"dateUpdated": "2024-08-05T01:54:14.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-1595 (GCVE-0-2009-1595)
Vulnerability from cvelistv5
Published
2009-05-11 14:02
Modified
2024-08-07 05:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2009/1237 | vdb-entry, x_refsource_VUPEN | |
| http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html | x_refsource_CONFIRM | |
| http://osvdb.org/54189 | vdb-entry, x_refsource_OSVDB | |
| http://www.igniterealtime.org/community/message/190280 | x_refsource_CONFIRM | |
| http://www.igniterealtime.org/issues/browse/JM-1531 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/34804 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/34976 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/50292 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T05:20:34.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2009-1237",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/1237"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"name": "54189",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/54189"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1531"
},
{
"name": "34804",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/34804"
},
{
"name": "34976",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/34976"
},
{
"name": "openfire-jabberiqauth-security-bypass(50292)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50292"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-04-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2009-1237",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/1237"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"name": "54189",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/54189"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1531"
},
{
"name": "34804",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/34804"
},
{
"name": "34976",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/34976"
},
{
"name": "openfire-jabberiqauth-security-bypass(50292)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50292"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-1595",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2009-1237",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/1237"
},
{
"name": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"name": "54189",
"refsource": "OSVDB",
"url": "http://osvdb.org/54189"
},
{
"name": "http://www.igniterealtime.org/community/message/190280",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"name": "http://www.igniterealtime.org/issues/browse/JM-1531",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/issues/browse/JM-1531"
},
{
"name": "34804",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/34804"
},
{
"name": "34976",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/34976"
},
{
"name": "openfire-jabberiqauth-security-bypass(50292)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50292"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-1595",
"datePublished": "2009-05-11T14:02:00",
"dateReserved": "2009-05-11T00:00:00",
"dateUpdated": "2024-08-07T05:20:34.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-24601 (GCVE-0-2020-24601)
Vulnerability from cvelistv5
Published
2020-09-02 14:41
Modified
2024-08-04 15:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted page
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.igniterealtime.org/browse/OF-1963 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:19:07.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName\", \"alias\" in the import certificate trusted page"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T19:28:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-24601",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName\", \"alias\" in the import certificate trusted page"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.igniterealtime.org/browse/OF-1963",
"refsource": "MISC",
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-24601",
"datePublished": "2020-09-02T14:41:40",
"dateReserved": "2020-08-24T00:00:00",
"dateUpdated": "2024-08-04T15:19:07.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20527 (GCVE-0-2019-20527)
Vulnerability from cvelistv5
Published
2020-03-19 13:51
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.611Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-19T13:51:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"x_ConverterErrors": {
"cvssV3_0": {
"error": "CVSSV3_0 data from v4 record is invalid",
"message": "Missing mandatory metrics \"AV\""
}
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20527",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20527",
"datePublished": "2020-03-19T13:51:57",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-1596 (GCVE-0-2009-1596)
Vulnerability from cvelistv5
Published
2009-05-11 14:02
Modified
2024-08-07 05:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.igniterealtime.org/community/message/190280 | x_refsource_CONFIRM | |
| http://www.igniterealtime.org/issues/browse/JM-1532 | x_refsource_CONFIRM | |
| http://secunia.com/advisories/34984 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/50291 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/34804 | vdb-entry, x_refsource_BID | |
| http://www.osvdb.org/54189 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T05:20:34.723Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1532"
},
{
"name": "34984",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/34984"
},
{
"name": "openfire-nopassword-security-bypass(50291)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50291"
},
{
"name": "34804",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/34804"
},
{
"name": "54189",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/54189"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-04-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1532"
},
{
"name": "34984",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/34984"
},
{
"name": "openfire-nopassword-security-bypass(50291)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50291"
},
{
"name": "34804",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/34804"
},
{
"name": "54189",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/54189"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-1596",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.igniterealtime.org/community/message/190280",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"name": "http://www.igniterealtime.org/issues/browse/JM-1532",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/issues/browse/JM-1532"
},
{
"name": "34984",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/34984"
},
{
"name": "openfire-nopassword-security-bypass(50291)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50291"
},
{
"name": "34804",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/34804"
},
{
"name": "54189",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/54189"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-1596",
"datePublished": "2009-05-11T14:02:00",
"dateReserved": "2009-05-11T00:00:00",
"dateUpdated": "2024-08-07T05:20:34.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35199 (GCVE-0-2020-35199)
Vulnerability from cvelistv5
Published
2020-12-12 17:20
Modified
2024-08-04 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/49233 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:02:06.875Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/49233"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-12T17:20:41",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/49233"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35199",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/49233",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/49233"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35199",
"datePublished": "2020-12-12T17:20:41",
"dateReserved": "2020-12-12T00:00:00",
"dateUpdated": "2024-08-04T17:02:06.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20366 (GCVE-0-2019-20366)
Vulnerability from cvelistv5
Published
2020-01-08 16:26
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.igniterealtime.org/browse/OF-1955 | x_refsource_MISC | |
| https://github.com/igniterealtime/Openfire/pull/1561 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T19:36:55",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20366",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.igniterealtime.org/browse/OF-1955",
"refsource": "MISC",
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"name": "https://github.com/igniterealtime/Openfire/pull/1561",
"refsource": "MISC",
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20366",
"datePublished": "2020-01-08T16:26:28",
"dateReserved": "2020-01-08T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35202 (GCVE-0-2020-35202)
Vulnerability from cvelistv5
Published
2020-12-12 17:20
Modified
2024-08-04 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/49235 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:02:07.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/49235"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-12T17:20:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/49235"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/49235",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/49235"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35202",
"datePublished": "2020-12-12T17:20:27",
"dateReserved": "2020-12-12T00:00:00",
"dateUpdated": "2024-08-04T17:02:07.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35201 (GCVE-0-2020-35201)
Vulnerability from cvelistv5
Published
2020-12-12 17:20
Modified
2024-08-04 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/49234 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:02:06.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/49234"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-12T17:20:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/49234"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35201",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/49234",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/49234"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35201",
"datePublished": "2020-12-12T17:20:19",
"dateReserved": "2020-12-12T00:00:00",
"dateUpdated": "2024-08-04T17:02:06.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-0497 (GCVE-0-2009-0497)
Vulnerability from cvelistv5
Published
2009-02-10 01:00
Modified
2024-08-07 04:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in log.jsp in Ignite Realtime Openfire 3.6.2 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the log parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugs.gentoo.org/show_bug.cgi?id=257585 | x_refsource_MISC | |
| http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/web/log.jsp | x_refsource_MISC | |
| http://secunia.com/advisories/33452 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/32945 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/499880/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/47806 | vdb-entry, x_refsource_XF | |
| http://www.coresecurity.com/content/openfire-multiple-vulnerabilities | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:40:03.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=257585"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/web/log.jsp"
},
{
"name": "33452",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33452"
},
{
"name": "32945",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32945"
},
{
"name": "20090108 CORE-2008-1128: Openfire multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/499880/100/0/threaded"
},
{
"name": "openfire-log-directory-traversal(47806)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47806"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.coresecurity.com/content/openfire-multiple-vulnerabilities"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in log.jsp in Ignite Realtime Openfire 3.6.2 allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the log parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=257585"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/web/log.jsp"
},
{
"name": "33452",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33452"
},
{
"name": "32945",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32945"
},
{
"name": "20090108 CORE-2008-1128: Openfire multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/499880/100/0/threaded"
},
{
"name": "openfire-log-directory-traversal(47806)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47806"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.coresecurity.com/content/openfire-multiple-vulnerabilities"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-0497",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in log.jsp in Ignite Realtime Openfire 3.6.2 allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the log parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=257585",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=257585"
},
{
"name": "http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/web/log.jsp",
"refsource": "MISC",
"url": "http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/web/log.jsp"
},
{
"name": "33452",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33452"
},
{
"name": "32945",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32945"
},
{
"name": "20090108 CORE-2008-1128: Openfire multiple vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/499880/100/0/threaded"
},
{
"name": "openfire-log-directory-traversal(47806)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47806"
},
{
"name": "http://www.coresecurity.com/content/openfire-multiple-vulnerabilities",
"refsource": "MISC",
"url": "http://www.coresecurity.com/content/openfire-multiple-vulnerabilities"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-0497",
"datePublished": "2009-02-10T01:00:00",
"dateReserved": "2009-02-09T00:00:00",
"dateUpdated": "2024-08-07T04:40:03.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20528 (GCVE-0-2019-20528)
Vulnerability from cvelistv5
Published
2020-03-18 18:36
Modified
2024-08-05 02:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:46:09.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-18T18:36:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"x_ConverterErrors": {
"cvssV3_0": {
"error": "CVSSV3_0 data from v4 record is invalid",
"message": "Missing mandatory metrics \"AV\""
}
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20528",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/",
"refsource": "MISC",
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20528",
"datePublished": "2020-03-18T18:36:38",
"dateReserved": "2020-03-18T00:00:00",
"dateUpdated": "2024-08-05T02:46:09.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25421 (GCVE-0-2024-25421)
Vulnerability from cvelistv5
Published
2024-03-26 00:00
Modified
2024-08-07 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.006Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.igniterealtime.org/projects/openfire/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/muc/spi/LocalMUCRoomManager.java"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ignite_realtime:openfire:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openfire",
"vendor": "ignite_realtime",
"versions": [
{
"lessThanOrEqual": "4.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-25421",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T19:48:28.276555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T20:13:52.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-26T20:08:26.842223",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.igniterealtime.org/projects/openfire/"
},
{
"url": "https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/muc/spi/LocalMUCRoomManager.java"
},
{
"url": "https://www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-25421",
"datePublished": "2024-03-26T00:00:00",
"dateReserved": "2024-02-07T00:00:00",
"dateUpdated": "2024-08-07T20:13:52.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15488 (GCVE-0-2019-15488)
Vulnerability from cvelistv5
Published
2019-08-23 12:37
Modified
2024-08-05 00:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5 | x_refsource_MISC | |
| https://github.com/igniterealtime/Openfire/pull/1441 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:49:13.525Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1441"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-23T12:37:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1441"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15488",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5",
"refsource": "MISC",
"url": "https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5"
},
{
"name": "https://github.com/igniterealtime/Openfire/pull/1441",
"refsource": "MISC",
"url": "https://github.com/igniterealtime/Openfire/pull/1441"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15488",
"datePublished": "2019-08-23T12:37:31",
"dateReserved": "2019-08-22T00:00:00",
"dateUpdated": "2024-08-05T00:49:13.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20364 (GCVE-0-2019-20364)
Vulnerability from cvelistv5
Published
2020-01-08 16:27
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.igniterealtime.org/browse/OF-1955 | x_refsource_MISC | |
| https://github.com/igniterealtime/Openfire/pull/1561 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.607Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T19:52:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20364",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.igniterealtime.org/browse/OF-1955",
"refsource": "MISC",
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"name": "https://github.com/igniterealtime/Openfire/pull/1561",
"refsource": "MISC",
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20364",
"datePublished": "2020-01-08T16:27:41",
"dateReserved": "2020-01-08T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6972 (GCVE-0-2015-6972)
Vulnerability from cvelistv5
Published
2015-09-16 19:00
Modified
2024-08-06 07:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp.
References
| ▼ | URL | Tags |
|---|---|---|
| http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html | x_refsource_MISC | |
| https://security.gentoo.org/glsa/201612-50 | vendor-advisory, x_refsource_GENTOO | |
| https://www.exploit-db.com/exploits/38191/ | exploit, x_refsource_EXPLOIT-DB | |
| http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:36:34.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html"
},
{
"name": "GLSA-201612-50",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"name": "38191",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38191/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-30T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html"
},
{
"name": "GLSA-201612-50",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"name": "38191",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/38191/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6972",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html"
},
{
"name": "GLSA-201612-50",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"name": "38191",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/38191/"
},
{
"name": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6972",
"datePublished": "2015-09-16T19:00:00",
"dateReserved": "2015-09-16T00:00:00",
"dateUpdated": "2024-08-06T07:36:34.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15911 (GCVE-0-2017-15911)
Vulnerability from cvelistv5
Published
2017-10-26 17:00
Modified
2024-08-05 20:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html | x_refsource_MISC | |
| https://issues.igniterealtime.org/browse/OF-1417 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:50.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.igniterealtime.org/browse/OF-1417"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-26T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.igniterealtime.org/browse/OF-1417"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15911",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html",
"refsource": "MISC",
"url": "https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html"
},
{
"name": "https://issues.igniterealtime.org/browse/OF-1417",
"refsource": "MISC",
"url": "https://issues.igniterealtime.org/browse/OF-1417"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15911",
"datePublished": "2017-10-26T17:00:00",
"dateReserved": "2017-10-25T00:00:00",
"dateUpdated": "2024-08-05T20:04:50.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-6509 (GCVE-0-2008-6509)
Vulnerability from cvelistv5
Published
2009-03-23 19:26
Modified
2024-08-07 11:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/7075 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt | x_refsource_MISC | |
| http://www.igniterealtime.org/issues/browse/JM-1488 | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46487 | vdb-entry, x_refsource_XF | |
| http://secunia.com/advisories/32478 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.andreas-kurtz.de/archives/63 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/32189 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/498162/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://osvdb.org/51912 | vdb-entry, x_refsource_OSVDB | |
| http://www.vupen.com/english/advisories/2008/3061 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:34:46.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "7075",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1488"
},
{
"name": "openfire-siparklogsummary-sql-injection(46487)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46487"
},
{
"name": "32478",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32478"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"name": "32189",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "51912",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/51912"
},
{
"name": "ADV-2008-3061",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-11-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "7075",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1488"
},
{
"name": "openfire-siparklogsummary-sql-injection(46487)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46487"
},
{
"name": "32478",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32478"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"name": "32189",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "51912",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/51912"
},
{
"name": "ADV-2008-3061",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6509",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "7075",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"name": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt",
"refsource": "MISC",
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"name": "http://www.igniterealtime.org/issues/browse/JM-1488",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/issues/browse/JM-1488"
},
{
"name": "openfire-siparklogsummary-sql-injection(46487)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46487"
},
{
"name": "32478",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32478"
},
{
"name": "http://www.andreas-kurtz.de/archives/63",
"refsource": "MISC",
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"name": "32189",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "51912",
"refsource": "OSVDB",
"url": "http://osvdb.org/51912"
},
{
"name": "ADV-2008-3061",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6509",
"datePublished": "2009-03-23T19:26:00",
"dateReserved": "2009-03-23T00:00:00",
"dateUpdated": "2024-08-07T11:34:46.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-45967 (GCVE-0-2021-45967)
Vulnerability from cvelistv5
Published
2022-03-18 05:00
Modified
2024-11-20 15:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.pascom.net/doc/en/release-notes/ | x_refsource_MISC | |
| https://www.pascom.net/doc/en/release-notes/pascom19/ | x_refsource_MISC | |
| https://kerbit.io/research/read/blog/4 | x_refsource_MISC | |
| https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:54:31.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pascom.net/doc/en/release-notes/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pascom.net/doc/en/release-notes/pascom19/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://kerbit.io/research/read/blog/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-45967",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T15:41:38.575775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T15:41:51.676Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-18T05:00:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pascom.net/doc/en/release-notes/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pascom.net/doc/en/release-notes/pascom19/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://kerbit.io/research/read/blog/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-45967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.pascom.net/doc/en/release-notes/",
"refsource": "MISC",
"url": "https://www.pascom.net/doc/en/release-notes/"
},
{
"name": "https://www.pascom.net/doc/en/release-notes/pascom19/",
"refsource": "MISC",
"url": "https://www.pascom.net/doc/en/release-notes/pascom19/"
},
{
"name": "https://kerbit.io/research/read/blog/4",
"refsource": "MISC",
"url": "https://kerbit.io/research/read/blog/4"
},
{
"name": "https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html",
"refsource": "MISC",
"url": "https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-45967",
"datePublished": "2022-03-18T05:00:35",
"dateReserved": "2022-01-01T00:00:00",
"dateUpdated": "2024-11-20T15:41:51.676Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2741 (GCVE-0-2014-2741)
Vulnerability from cvelistv5
Published
2014-04-11 01:00
Modified
2024-08-06 10:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
References
| ▼ | URL | Tags |
|---|---|---|
| http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/ | x_refsource_MISC | |
| http://www.kb.cert.org/vuls/id/495476 | third-party-advisory, x_refsource_CERT-VN | |
| http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77 | x_refsource_CONFIRM | |
| http://openwall.com/lists/oss-security/2014/04/09/1 | mailing-list, x_refsource_MLIST | |
| http://community.igniterealtime.org/thread/52317 | x_refsource_CONFIRM | |
| http://openwall.com/lists/oss-security/2014/04/07/7 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.080Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "VU#495476",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/495476"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.igniterealtime.org/thread/52317"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-24T04:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "VU#495476",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/495476"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.igniterealtime.org/thread/52317"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-2741",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/",
"refsource": "MISC",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"name": "VU#495476",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/495476"
},
{
"name": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77",
"refsource": "CONFIRM",
"url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"
},
{
"name": "[oss-security] 20140408 Re: (Openfire M-Link Metronome Prosody Tigase) Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"name": "http://community.igniterealtime.org/thread/52317",
"refsource": "CONFIRM",
"url": "http://community.igniterealtime.org/thread/52317"
},
{
"name": "[oss-security] 20140407 Re: Possible CVE Request: Uncontrolled Resource Consumption with XMPP-Layer Compression",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-2741",
"datePublished": "2014-04-11T01:00:00",
"dateReserved": "2014-04-08T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6973 (GCVE-0-2015-6973)
Vulnerability from cvelistv5
Published
2015-09-16 19:00
Modified
2024-08-06 07:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/536470/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://security.gentoo.org/glsa/201612-50 | vendor-advisory, x_refsource_GENTOO | |
| http://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html | x_refsource_MISC | |
| http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/38192/ | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:36:34.406Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150915 Openfire 3.10.2 CSRF Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536470/100/0/threaded"
},
{
"name": "GLSA-201612-50",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt"
},
{
"name": "38192",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38192/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150915 Openfire 3.10.2 CSRF Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536470/100/0/threaded"
},
{
"name": "GLSA-201612-50",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt"
},
{
"name": "38192",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/38192/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6973",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150915 Openfire 3.10.2 CSRF Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536470/100/0/threaded"
},
{
"name": "GLSA-201612-50",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"name": "http://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html"
},
{
"name": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt"
},
{
"name": "38192",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/38192/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6973",
"datePublished": "2015-09-16T19:00:00",
"dateReserved": "2015-09-16T00:00:00",
"dateUpdated": "2024-08-06T07:36:34.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35200 (GCVE-0-2020-35200)
Vulnerability from cvelistv5
Published
2020-12-12 17:20
Modified
2024-08-04 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://discourse.igniterealtime.org/t/openfire-4-6-0-has-reflective-xss-vulnerabilities/89296 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:02:06.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-reflective-xss-vulnerabilities/89296"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-12T17:20:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-reflective-xss-vulnerabilities/89296"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35200",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-reflective-xss-vulnerabilities/89296",
"refsource": "MISC",
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-reflective-xss-vulnerabilities/89296"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35200",
"datePublished": "2020-12-12T17:20:34",
"dateReserved": "2020-12-12T00:00:00",
"dateUpdated": "2024-08-04T17:02:06.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-6508 (GCVE-0-2008-6508)
Vulnerability from cvelistv5
Published
2009-03-23 19:26
Modified
2024-08-07 11:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/7075 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt | x_refsource_MISC | |
| http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html | x_refsource_CONFIRM | |
| http://secunia.com/advisories/32478 | third-party-advisory, x_refsource_SECUNIA | |
| http://osvdb.org/49663 | vdb-entry, x_refsource_OSVDB | |
| http://www.andreas-kurtz.de/archives/63 | x_refsource_MISC | |
| http://www.igniterealtime.org/issues/browse/JM-1489 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/32189 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46488 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/archive/1/498162/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.vupen.com/english/advisories/2008/3061 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:34:47.047Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "7075",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"name": "32478",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/32478"
},
{
"name": "49663",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/49663"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1489"
},
{
"name": "32189",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "openfire-authcheckfilter-security-bypass(46488)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46488"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "ADV-2008-3061",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-11-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "7075",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"name": "32478",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/32478"
},
{
"name": "49663",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/49663"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1489"
},
{
"name": "32189",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "openfire-authcheckfilter-security-bypass(46488)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46488"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "ADV-2008-3061",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6508",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "7075",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"name": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt",
"refsource": "MISC",
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"name": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"name": "32478",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/32478"
},
{
"name": "49663",
"refsource": "OSVDB",
"url": "http://osvdb.org/49663"
},
{
"name": "http://www.andreas-kurtz.de/archives/63",
"refsource": "MISC",
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"name": "http://www.igniterealtime.org/issues/browse/JM-1489",
"refsource": "CONFIRM",
"url": "http://www.igniterealtime.org/issues/browse/JM-1489"
},
{
"name": "32189",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/32189"
},
{
"name": "openfire-authcheckfilter-security-bypass(46488)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46488"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"name": "ADV-2008-3061",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/3061"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6508",
"datePublished": "2009-03-23T19:26:00",
"dateReserved": "2009-03-23T00:00:00",
"dateUpdated": "2024-08-07T11:34:47.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18394 (GCVE-0-2019-18394)
Vulnerability from cvelistv5
Published
2019-10-24 10:58
Modified
2024-08-05 01:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/igniterealtime/Openfire/pull/1497 | x_refsource_MISC | |
| https://swarm.ptsecurity.com/openfire-admin-console/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:54:14.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1497"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-07T00:51:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1497"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-18394",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/igniterealtime/Openfire/pull/1497",
"refsource": "MISC",
"url": "https://github.com/igniterealtime/Openfire/pull/1497"
},
{
"name": "https://swarm.ptsecurity.com/openfire-admin-console/",
"refsource": "MISC",
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-18394",
"datePublished": "2019-10-24T10:58:34",
"dateReserved": "2019-10-24T00:00:00",
"dateUpdated": "2024-08-05T01:54:14.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-6511 (GCVE-0-2008-6511)
Vulnerability from cvelistv5
Published
2009-03-23 19:26
Modified
2024-08-07 11:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/7075 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/498162/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:34:46.650Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "7075",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-11-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "7075",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-6511",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "7075",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"name": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt",
"refsource": "MISC",
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"name": "20081108 [AK-ADV2008-001] Openfire Jabber-Server: Multiple Vulnerabilities (Authentication Bypass, SQL injection, ...)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-6511",
"datePublished": "2009-03-23T19:26:00",
"dateReserved": "2009-03-23T00:00:00",
"dateUpdated": "2024-08-07T11:34:46.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25420 (GCVE-0-2024-25420)
Vulnerability from cvelistv5
Published
2024-03-26 00:00
Modified
2024-08-02 19:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:44:09.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.igniterealtime.org/projects/openfire/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.java"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:igniterealtime:openfire:4.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openfire",
"vendor": "igniterealtime",
"versions": [
{
"status": "affected",
"version": "4.9.0"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-25420",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T19:20:36.900170Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-273",
"description": "CWE-273 Improper Check for Dropped Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:54.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-26T20:08:22.979154",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.igniterealtime.org/projects/openfire/"
},
{
"url": "https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.java"
},
{
"url": "https://www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-25420",
"datePublished": "2024-03-26T00:00:00",
"dateReserved": "2024-02-07T00:00:00",
"dateUpdated": "2024-08-02T19:23:54.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20365 (GCVE-0-2019-20365)
Vulnerability from cvelistv5
Published
2020-01-08 16:27
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.igniterealtime.org/browse/OF-1955 | x_refsource_MISC | |
| https://github.com/igniterealtime/Openfire/pull/1561 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.854Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T19:39:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20365",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.igniterealtime.org/browse/OF-1955",
"refsource": "MISC",
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"name": "https://github.com/igniterealtime/Openfire/pull/1561",
"refsource": "MISC",
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20365",
"datePublished": "2020-01-08T16:27:14",
"dateReserved": "2020-01-08T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35127 (GCVE-0-2020-35127)
Vulnerability from cvelistv5
Published
2020-12-11 04:05
Modified
2024-08-04 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:55:10.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-11T04:05:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276",
"refsource": "MISC",
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35127",
"datePublished": "2020-12-11T04:05:47",
"dateReserved": "2020-12-11T00:00:00",
"dateUpdated": "2024-08-04T16:55:10.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3451 (GCVE-0-2014-3451)
Vulnerability from cvelistv5
Published
2017-08-18 18:00
Modified
2024-08-06 10:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2015/04/23/16 | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/archive/1/535363/100/1100/threaded | mailing-list, x_refsource_BUGTRAQ | |
| https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released | x_refsource_MISC | |
| http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/74305 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:43:05.883Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150423 Incorrect handling of self signed certificates in OpenFire XMPP Server",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/23/16"
},
{
"name": "20150424 Incorrect handling of self signed certificates in OpenFire XMPP Server",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535363/100/1100/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html"
},
{
"name": "74305",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74305"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150423 Incorrect handling of self signed certificates in OpenFire XMPP Server",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/23/16"
},
{
"name": "20150424 Incorrect handling of self signed certificates in OpenFire XMPP Server",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535363/100/1100/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html"
},
{
"name": "74305",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74305"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3451",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150423 Incorrect handling of self signed certificates in OpenFire XMPP Server",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/04/23/16"
},
{
"name": "20150424 Incorrect handling of self signed certificates in OpenFire XMPP Server",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535363/100/1100/threaded"
},
{
"name": "https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released",
"refsource": "MISC",
"url": "https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released"
},
{
"name": "http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html"
},
{
"name": "74305",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74305"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3451",
"datePublished": "2017-08-18T18:00:00",
"dateReserved": "2014-05-09T00:00:00",
"dateUpdated": "2024-08-06T10:43:05.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7707 (GCVE-0-2015-7707)
Vulnerability from cvelistv5
Published
2015-10-05 15:00
Modified
2024-08-06 07:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp.
References
| ▼ | URL | Tags |
|---|---|---|
| https://igniterealtime.org/issues/browse/OF-941 | x_refsource_MISC | |
| http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt | x_refsource_MISC | |
| https://security.gentoo.org/glsa/201612-50 | vendor-advisory, x_refsource_GENTOO | |
| http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/38190/ | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.859Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://igniterealtime.org/issues/browse/OF-941"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt"
},
{
"name": "GLSA-201612-50",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html"
},
{
"name": "38190",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38190/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-30T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://igniterealtime.org/issues/browse/OF-941"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt"
},
{
"name": "GLSA-201612-50",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html"
},
{
"name": "38190",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/38190/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7707",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://igniterealtime.org/issues/browse/OF-941",
"refsource": "MISC",
"url": "https://igniterealtime.org/issues/browse/OF-941"
},
{
"name": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt",
"refsource": "MISC",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt"
},
{
"name": "GLSA-201612-50",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"name": "http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html"
},
{
"name": "38190",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/38190/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7707",
"datePublished": "2015-10-05T15:00:00",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T07:58:59.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20363 (GCVE-0-2019-20363)
Vulnerability from cvelistv5
Published
2020-01-08 16:27
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.igniterealtime.org/browse/OF-1955 | x_refsource_MISC | |
| https://github.com/igniterealtime/Openfire/pull/1561 | x_refsource_MISC | |
| https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-29T19:56:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20363",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://issues.igniterealtime.org/browse/OF-1955",
"refsource": "MISC",
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"name": "https://github.com/igniterealtime/Openfire/pull/1561",
"refsource": "MISC",
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"name": "https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20363",
"datePublished": "2020-01-08T16:27:50",
"dateReserved": "2020-01-08T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32315 (GCVE-0-2023-32315)
Vulnerability from cvelistv5
Published
2023-05-26 22:33
Modified
2025-07-30 01:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| igniterealtime | Openfire |
Version: >= 3.10.0, < 4.6.8 Version: >= 4.7.0, < 4.7.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32315",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T16:14:29.329482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-08-24",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-32315"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:25.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2023-08-24T00:00:00+00:00",
"value": "CVE-2023-32315 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Openfire",
"vendor": "igniterealtime",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.10.0, \u003c 4.6.8"
},
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.7.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-19T17:06:15.556Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
},
{
"url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
}
],
"source": {
"advisory": "GHSA-gw42-f939-fhvm",
"discovery": "UNKNOWN"
},
"title": "Openfire administration console authentication bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32315",
"datePublished": "2023-05-26T22:33:07.974Z",
"dateReserved": "2023-05-08T13:26:03.879Z",
"dateUpdated": "2025-07-30T01:37:25.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-10-24 11:15
Modified
2024-11-21 04:33
Severity ?
Summary
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1DE041DC-CCED-4A5A-A954-35BFEF54717B",
"versionEndIncluding": "4.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Server Side Request Forgery (SSRF) en el archivo FaviconServlet.java en Ignite Realtime Openfire versiones hasta 4.4.2, permite a atacantes enviar peticiones HTTP GET arbitrarias."
}
],
"id": "CVE-2019-18394",
"lastModified": "2024-11-21T04:33:11.770",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-24T11:15:10.590",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1497"
},
{
"source": "cve@mitre.org",
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1497"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-12 18:15
Modified
2024-11-21 05:26
Severity ?
Summary
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.exploit-db.com/exploits/49233 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/49233 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D147E66-BDF7-4567-B2DF-697D4342F5F1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.6.0, presenta un XSS almacenado en el par\u00e1metro groupchatJID del archivo create-bookmark.jsp"
}
],
"id": "CVE-2020-35199",
"lastModified": "2024-11-21T05:26:56.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-12T18:15:10.690",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/49233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/49233"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-09-16 19:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 3.10.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "460BD587-6246-422D-BD1C-CCCAF50844F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en Ignite Realtime Openfire 3.10.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) groupchatName en plugins/clientcontrol/create-bookmark.jsp; (2) urlName en plugins/clientcontrol/create-bookmark.jsp; (3) hostname en server-session-details.jsp o (4) search en group-summary.jsp."
}
],
"id": "CVE-2015-6972",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-09-16T19:59:00.100",
"references": [
{
"source": "cve@mitre.org",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/38191/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/38191/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-26 21:15
Modified
2025-05-07 01:16
Severity ?
Summary
An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E895E03-96D2-4F89-A33D-B18C951F6600",
"versionEndIncluding": "4.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component."
},
{
"lang": "es",
"value": "Un problema en Ignite Realtime Openfire v.4.9.0 y anteriores permite a un atacante remoto escalar privilegios a trav\u00e9s del componente ROOM_CACHE."
}
],
"id": "CVE-2024-25421",
"lastModified": "2025-05-07T01:16:31.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-26T21:15:52.773",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/muc/spi/LocalMUCRoomManager.java"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Release Notes"
],
"url": "https://www.igniterealtime.org/projects/openfire/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/muc/spi/LocalMUCRoomManager.java"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://www.igniterealtime.org/projects/openfire/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-250"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-11 01:55
Modified
2025-04-12 10:46
Severity ?
Summary
nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "28930E5F-0943-436F-9593-9CFA781370A9",
"versionEndIncluding": "3.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an \"xmppbomb\" attack."
},
{
"lang": "es",
"value": "El archivo nio/XMLLightweightParser.java en Ignite Realtime Openfire anterior a versi\u00f3n 3.9.2, no restringe apropiadamente el procesamiento de elementos XML comprimidos, lo que permite a los atacantes remotos causar una denegaci\u00f3n de servicio (consumo de recursos) por medio de una secuencia XMPP dise\u00f1ada, tambi\u00e9n conocido como ataque \"xmppbomb\" ."
}
],
"id": "CVE-2014-2741",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-04-11T01:55:05.473",
"references": [
{
"source": "security@debian.org",
"url": "http://community.igniterealtime.org/thread/52317"
},
{
"source": "security@debian.org",
"url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"
},
{
"source": "security@debian.org",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
},
{
"source": "security@debian.org",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"source": "security@debian.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/495476"
},
{
"source": "security@debian.org",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.igniterealtime.org/thread/52317"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/04/07/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2014/04/09/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/495476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-18 05:15
Modified
2024-11-21 06:33
Severity ?
Summary
An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://kerbit.io/research/read/blog/4 | Exploit, Patch, Third Party Advisory | |
| cve@mitre.org | https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html | Exploit, Patch, Third Party Advisory | |
| cve@mitre.org | https://www.pascom.net/doc/en/release-notes/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.pascom.net/doc/en/release-notes/pascom19/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://kerbit.io/research/read/blog/4 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.pascom.net/doc/en/release-notes/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.pascom.net/doc/en/release-notes/pascom19/ | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pascom | cloud_phone_system | * | |
| igniterealtime | openfire | * | |
| igniterealtime | openfire | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pascom:cloud_phone_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D2A6F1-C247-4A95-991B-610CDB0DB305",
"versionEndIncluding": "7.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FDF925B6-5EA0-492A-8CA8-A4D7D981641B",
"versionEndExcluding": "4.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "C09684FF-1F40-443F-AE09-AA26A28BA86D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints."
},
{
"lang": "es",
"value": "Se ha detectado un problema en Pascom Cloud Phone System versiones anteriores a 7.20.x. Un error de configuraci\u00f3n entre NGINX y un servidor Tomcat backend conlleva a un salto de ruta en el servidor Tomcat, exponiendo endpoints no deseados"
}
],
"id": "CVE-2021-45967",
"lastModified": "2024-11-21T06:33:23.640",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-18T05:15:07.027",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://kerbit.io/research/read/blog/4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.pascom.net/doc/en/release-notes/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.pascom.net/doc/en/release-notes/pascom19/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://kerbit.io/research/read/blog/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://tutorialboy24.blogspot.com/2022/03/the-story-of-3-bugs-that-lead-to.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.pascom.net/doc/en/release-notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.pascom.net/doc/en/release-notes/pascom19/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-26 17:29
Modified
2025-04-20 01:37
Severity ?
Summary
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://issues.igniterealtime.org/browse/OF-1417 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.igniterealtime.org/browse/OF-1417 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8D07190-AD0B-4C85-A458-010881DD711D",
"versionEndIncluding": "4.1.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application."
},
{
"lang": "es",
"value": "La consola de administrador en Ignite Realtime Openfire Server en versiones anteriores a la 4.1.7 permite la ejecuci\u00f3n arbitraria de c\u00f3digo JavaScript del lado del cliente en v\u00edctimas que hagan clic en un enlace setup/setup-host-settings.jsp?domain= manipulado. Esto tambi\u00e9n se conoce como XSS. El robo de ID o datos de sesi\u00f3n podr\u00eda ocurrir a continuaci\u00f3n, as\u00ed como la posibilidad de omitir las protecciones anti CSRF, la inyecci\u00f3n de iframes para establecer canales de comunicaci\u00f3n, etc. La vulnerabilidad est\u00e1 presente tras iniciar sesi\u00f3n en la aplicaci\u00f3n."
}
],
"id": "CVE-2017-15911",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-26T17:29:00.377",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://becomepentester.blogspot.ae/2017/10/Cross-Site-Scripting-Openfire-4.1.6-CVE-2017-15911.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1417"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-03-23 20:00
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * | |
| igniterealtime | openfire | 2.6.0 | |
| igniterealtime | openfire | 2.6.1 | |
| igniterealtime | openfire | 2.6.2 | |
| igniterealtime | openfire | 3.0.0 | |
| igniterealtime | openfire | 3.0.1 | |
| igniterealtime | openfire | 3.1.0 | |
| igniterealtime | openfire | 3.1.1 | |
| igniterealtime | openfire | 3.2.0 | |
| igniterealtime | openfire | 3.2.1 | |
| igniterealtime | openfire | 3.2.2 | |
| igniterealtime | openfire | 3.2.3 | |
| igniterealtime | openfire | 3.2.4 | |
| igniterealtime | openfire | 3.3.0 | |
| igniterealtime | openfire | 3.3.2 | |
| igniterealtime | openfire | 3.3.3 | |
| igniterealtime | openfire | 3.4.0 | |
| igniterealtime | openfire | 3.4.1 | |
| igniterealtime | openfire | 3.4.3 | |
| igniterealtime | openfire | 3.4.4 | |
| igniterealtime | openfire | 3.4.5 | |
| igniterealtime | openfire | 3.5.0 | |
| igniterealtime | openfire | 3.5.1 | |
| igniterealtime | openfire | 3.5.2 | |
| igniterealtime | openfire | 3.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8733075B-1FFE-4A66-A80E-81111A3FC05D",
"versionEndIncluding": "3.6.0a",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20332EC7-FD3C-4118-8FE9-CF8DF62FC2CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "44EE43D4-190A-4188-AB48-34C87FA1CC10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73E425C2-E94D-41A9-A0A7-22498B138E6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B1438E68-1149-49A8-AC38-4D65D19D7B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "57A6F7A2-1AFB-41DB-9C2D-BE0785BAC6A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABD75603-FE40-47CB-9810-F91C983F8732",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E4CC033A-F03B-4486-A27D-042FF0D3AB4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF90E1E8-1635-4A20-9EA1-4BAE1C63EB32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "972DEE02-8707-473D-9BB9-A6A04F4B239C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9819365-ACD9-4801-B277-9B6D2A9CF3BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "70B640A2-A662-4BDC-970E-D71F6C1AC7A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF31BC81-E6B0-4B98-95C1-27C4F163A146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC95549-3BC1-4296-9993-3C917FE895F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "664BCEB5-F38C-4FB2-95B3-E8F88FB8FC29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D5EA88D8-C41E-4CE1-85EB-8A0A23811FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B16CECC-131F-4463-B8CE-101BD597C210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650101D4-7395-4C4E-8862-84CE365259BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A848F149-C5EC-4E1E-B3EB-98066C5AE0EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE2746D5-0081-4065-97D0-2DBF5B8F00AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6B870602-8455-4DDD-8CEE-0A4016714E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE94D0C3-188D-42D1-B868-D32AF4D3432C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B845B1D-DC2D-47F0-A3DF-32AE01DDB6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1F4DD7-1B60-4006-842E-AE286302247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A469BBA3-5DD6-42B5-ABBD-A9342ADC703A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados en login.jsp en la Consola de Administraci\u00f3n de Openfire 3.6.0a y anteriores permite a atacantes remotos inyectar HTML o scripts web arbitrarios a trav\u00e9s del par\u00e1metro URL."
}
],
"id": "CVE-2008-6510",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-03-23T20:00:00.313",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.igniterealtime.org/issues/browse/JM-629"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46486"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.igniterealtime.org/issues/browse/JM-629"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46486"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7075"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-12 18:15
Modified
2024-11-21 05:26
Severity ?
Summary
Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D147E66-BDF7-4567-B2DF-697D4342F5F1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.6.0, presenta una vulnerabilidad de tipo XSS Reflexivo en el archivo plugins/clientcontrol/spark-form.jsp"
}
],
"id": "CVE-2020-35200",
"lastModified": "2024-11-21T05:26:57.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-12T18:15:11.567",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-reflective-xss-vulnerabilities/89296"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-reflective-xss-vulnerabilities/89296"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-10-05 15:59
Modified
2025-04-12 10:46
Severity ?
Summary
Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 3.10.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "460BD587-6246-422D-BD1C-CCCAF50844F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire 3.10.2 permite a usuarios remotos autenticados obtener acceso de administrador a trav\u00e9s del parametro isadmin en user-edit-form.jsp."
}
],
"id": "CVE-2015-7707",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-05T15:59:03.097",
"references": [
{
"source": "cve@mitre.org",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html"
},
{
"source": "cve@mitre.org",
"url": "https://igniterealtime.org/issues/browse/OF-941"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/38190/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escalation.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://igniterealtime.org/issues/browse/OF-941"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/38190/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-03-23 20:00
Modified
2025-04-09 00:30
Severity ?
Summary
SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * | |
| igniterealtime | openfire | 2.6.0 | |
| igniterealtime | openfire | 2.6.1 | |
| igniterealtime | openfire | 2.6.2 | |
| igniterealtime | openfire | 3.0.0 | |
| igniterealtime | openfire | 3.0.1 | |
| igniterealtime | openfire | 3.1.0 | |
| igniterealtime | openfire | 3.1.1 | |
| igniterealtime | openfire | 3.2.0 | |
| igniterealtime | openfire | 3.2.1 | |
| igniterealtime | openfire | 3.2.2 | |
| igniterealtime | openfire | 3.2.3 | |
| igniterealtime | openfire | 3.2.4 | |
| igniterealtime | openfire | 3.3.0 | |
| igniterealtime | openfire | 3.3.2 | |
| igniterealtime | openfire | 3.3.3 | |
| igniterealtime | openfire | 3.4.0 | |
| igniterealtime | openfire | 3.4.1 | |
| igniterealtime | openfire | 3.4.3 | |
| igniterealtime | openfire | 3.4.4 | |
| igniterealtime | openfire | 3.4.5 | |
| igniterealtime | openfire | 3.5.0 | |
| igniterealtime | openfire | 3.5.1 | |
| igniterealtime | openfire | 3.5.2 | |
| igniterealtime | openfire | 3.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8733075B-1FFE-4A66-A80E-81111A3FC05D",
"versionEndIncluding": "3.6.0a",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20332EC7-FD3C-4118-8FE9-CF8DF62FC2CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "44EE43D4-190A-4188-AB48-34C87FA1CC10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73E425C2-E94D-41A9-A0A7-22498B138E6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B1438E68-1149-49A8-AC38-4D65D19D7B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "57A6F7A2-1AFB-41DB-9C2D-BE0785BAC6A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABD75603-FE40-47CB-9810-F91C983F8732",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E4CC033A-F03B-4486-A27D-042FF0D3AB4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF90E1E8-1635-4A20-9EA1-4BAE1C63EB32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "972DEE02-8707-473D-9BB9-A6A04F4B239C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9819365-ACD9-4801-B277-9B6D2A9CF3BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "70B640A2-A662-4BDC-970E-D71F6C1AC7A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF31BC81-E6B0-4B98-95C1-27C4F163A146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC95549-3BC1-4296-9993-3C917FE895F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "664BCEB5-F38C-4FB2-95B3-E8F88FB8FC29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D5EA88D8-C41E-4CE1-85EB-8A0A23811FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B16CECC-131F-4463-B8CE-101BD597C210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650101D4-7395-4C4E-8862-84CE365259BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A848F149-C5EC-4E1E-B3EB-98066C5AE0EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE2746D5-0081-4065-97D0-2DBF5B8F00AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6B870602-8455-4DDD-8CEE-0A4016714E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE94D0C3-188D-42D1-B868-D32AF4D3432C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B845B1D-DC2D-47F0-A3DF-32AE01DDB6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1F4DD7-1B60-4006-842E-AE286302247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A469BBA3-5DD6-42B5-ABBD-A9342ADC703A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n de SQL en CallLogDAO en el complemento SIP para Openfire 3.6.0a y anteriores permite a atacantes remotos ejecutar comandos SQL a trav\u00e9s del par\u00e1metro tipo (type) de sipark-log-summary.jsp."
}
],
"id": "CVE-2008-6509",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-03-23T20:00:00.267",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/51912"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32478"
},
{
"source": "cve@mitre.org",
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"source": "cve@mitre.org",
"url": "http://www.igniterealtime.org/issues/browse/JM-1488"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46487"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/51912"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32478"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.igniterealtime.org/issues/browse/JM-1488"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46487"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7075"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 14:15
Modified
2024-11-21 04:38
Severity ?
Summary
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D00793A3-209D-4770-A21D-D8186D235D4E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.4.1, permite un ataque de tipo XSS por medio del par\u00e1metro serverURL del archivo setup/setup-datasource-standard.jsp"
}
],
"id": "CVE-2019-20527",
"lastModified": "2024-11-21T04:38:40.590",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T14:15:12.097",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-11 05:15
Modified
2024-11-21 05:26
Severity ?
Summary
Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276 | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D147E66-BDF7-4567-B2DF-697D4342F5F1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.6.0, presenta una vulnerabilidad de tipo XSS Almacenado del archivo plugins/bookmarks/createbookmark.jsp"
}
],
"id": "CVE-2020-35127",
"lastModified": "2024-11-21T05:26:49.050",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-11T05:15:12.577",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://discourse.igniterealtime.org/t/openfire-4-6-0-has-stored-xss-vulnerabilities/89276"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-26 23:15
Modified
2025-03-10 20:36
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| security-advisories@github.com | https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm | Exploit, Mitigation, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm | Exploit, Mitigation, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * | |
| igniterealtime | openfire | * |
{
"cisaActionDue": "2023-09-14",
"cisaExploitAdd": "2023-08-24",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Ignite Realtime Openfire Path Traversal Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E41A6C4-1A9E-4FF5-836D-578434F4AF86",
"versionEndExcluding": "4.6.8",
"versionStartIncluding": "3.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "976DC4DB-EB01-41EA-8401-56B8D6ED2382",
"versionEndExcluding": "4.7.5",
"versionStartIncluding": "4.7.0.",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u0027s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn\u2019t available for a specific release, or isn\u2019t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice."
}
],
"id": "CVE-2023-32315",
"lastModified": "2025-03-10T20:36:57.097",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-26T23:15:16.643",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-05-11 14:30
Modified
2025-04-09 00:30
Severity ?
Summary
The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * | |
| igniterealtime | openfire | 2.6.0 | |
| igniterealtime | openfire | 2.6.1 | |
| igniterealtime | openfire | 2.6.2 | |
| igniterealtime | openfire | 3.0.0 | |
| igniterealtime | openfire | 3.0.1 | |
| igniterealtime | openfire | 3.1.0 | |
| igniterealtime | openfire | 3.1.1 | |
| igniterealtime | openfire | 3.2.0 | |
| igniterealtime | openfire | 3.2.1 | |
| igniterealtime | openfire | 3.2.2 | |
| igniterealtime | openfire | 3.2.3 | |
| igniterealtime | openfire | 3.2.4 | |
| igniterealtime | openfire | 3.3.0 | |
| igniterealtime | openfire | 3.3.2 | |
| igniterealtime | openfire | 3.3.3 | |
| igniterealtime | openfire | 3.4.0 | |
| igniterealtime | openfire | 3.4.1 | |
| igniterealtime | openfire | 3.4.2 | |
| igniterealtime | openfire | 3.4.3 | |
| igniterealtime | openfire | 3.4.4 | |
| igniterealtime | openfire | 3.4.5 | |
| igniterealtime | openfire | 3.5.0 | |
| igniterealtime | openfire | 3.5.1 | |
| igniterealtime | openfire | 3.5.2 | |
| igniterealtime | openfire | 3.6.0 | |
| igniterealtime | openfire | 3.6.0a | |
| igniterealtime | openfire | 3.6.1 | |
| igniterealtime | openfire | 3.6.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "455B36AC-BD2F-4357-9806-BE8432BC9F47",
"versionEndIncluding": "3.6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20332EC7-FD3C-4118-8FE9-CF8DF62FC2CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "44EE43D4-190A-4188-AB48-34C87FA1CC10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73E425C2-E94D-41A9-A0A7-22498B138E6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B1438E68-1149-49A8-AC38-4D65D19D7B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "57A6F7A2-1AFB-41DB-9C2D-BE0785BAC6A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABD75603-FE40-47CB-9810-F91C983F8732",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E4CC033A-F03B-4486-A27D-042FF0D3AB4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF90E1E8-1635-4A20-9EA1-4BAE1C63EB32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "972DEE02-8707-473D-9BB9-A6A04F4B239C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9819365-ACD9-4801-B277-9B6D2A9CF3BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "70B640A2-A662-4BDC-970E-D71F6C1AC7A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF31BC81-E6B0-4B98-95C1-27C4F163A146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC95549-3BC1-4296-9993-3C917FE895F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "664BCEB5-F38C-4FB2-95B3-E8F88FB8FC29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D5EA88D8-C41E-4CE1-85EB-8A0A23811FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B16CECC-131F-4463-B8CE-101BD597C210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650101D4-7395-4C4E-8862-84CE365259BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "04EA1DCB-633A-4942-B039-F68113885F0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A848F149-C5EC-4E1E-B3EB-98066C5AE0EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE2746D5-0081-4065-97D0-2DBF5B8F00AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6B870602-8455-4DDD-8CEE-0A4016714E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE94D0C3-188D-42D1-B868-D32AF4D3432C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B845B1D-DC2D-47F0-A3DF-32AE01DDB6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1F4DD7-1B60-4006-842E-AE286302247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A469BBA3-5DD6-42B5-ABBD-A9342ADC703A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.0a:*:*:*:*:*:*:*",
"matchCriteriaId": "7D89EA95-DC8B-4C47-A865-63C42EA63F42",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F9306708-219D-44A8-9FE3-B2EC8EF77DF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8691783F-7F3C-4264-9030-F89B607C35A4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action."
},
{
"lang": "es",
"value": "La implementaci\u00f3n jabber:iq:auth en IQAuthHandler.java de Ignite Realtime Openfire v3.6.5 permite a usuarios remotos autenticados cambiar las contrase\u00f1as de cuentas de usuario de su elecci\u00f3n a trav\u00e9s de un elemento \"username\" (nombre de usuario) modificado en la acci\u00f3n passwd_change."
}
],
"id": "CVE-2009-1595",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-05-11T14:30:00.297",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/54189"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/34976"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1531"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/34804"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/1237"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50292"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/54189"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/34976"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1531"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/34804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/1237"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50292"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-09-16 19:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 3.10.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "460BD587-6246-422D-BD1C-CCCAF50844F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontrol/permitted-clients.jsp."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de CSRF en Ignite Realtime Openfire 3.10.2 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para peticiones que (1) cambian una contrase\u00f1a a trav\u00e9s de una petici\u00f3n manipulada a user-password.jsp, (2) a\u00f1aden usuarios a tav\u00e9s de una petici\u00f3n manipulada a user-create.jsp, (3) editan ajustes de servidor o (4) desactivan SSL en el servidor a trav\u00e9s de una petici\u00f3n a server-props.jsp manipulada o (5) a\u00f1aden clientes a trav\u00e9s de una petici\u00f3n manipulada a plugins/clientcontrol/permitted-clients.jsp."
}
],
"id": "CVE-2015-6973",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-09-16T19:59:01.663",
"references": [
{
"source": "cve@mitre.org",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/536470/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/38192/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Request-Forgery.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/536470/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201612-50"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/38192/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-08-23 13:15
Modified
2024-11-21 04:28
Severity ?
Summary
Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/igniterealtime/Openfire/pull/1441 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/igniterealtime/Openfire/pull/1441 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0B4B337D-0690-472E-9C01-551C0702D144",
"versionEndExcluding": "4.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire anterior de la versi\u00f3n 4.4.1 ha reflejado XSS a trav\u00e9s de una prueba de configuraci\u00f3n LDAP."
}
],
"id": "CVE-2019-15488",
"lastModified": "2024-11-21T04:28:51.170",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-08-23T13:15:11.390",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1441"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1441"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-12 18:15
Modified
2024-11-21 05:26
Severity ?
Summary
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.exploit-db.com/exploits/49234 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/49234 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D147E66-BDF7-4567-B2DF-697D4342F5F1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.6.0, presenta una vulnerabilidad de tipo XSS Almacenado en los usuarios del archivo create-bookmark.jsp"
}
],
"id": "CVE-2020-35201",
"lastModified": "2024-11-21T05:26:57.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-12T18:15:11.847",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/49234"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/49234"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-02 15:15
Modified
2024-11-21 05:15
Severity ?
Summary
A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://issues.igniterealtime.org/browse/OF-1963 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.igniterealtime.org/browse/OF-1963 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.5.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7C7E9D2-88C1-45AE-BD6D-237914798E9C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request \"searchName\", \"searchValue\", \"searchDescription\", \"searchDefaultValue\",\"searchPlugin\", \"searchDescription\" and \"searchDynamic\" in server-properties.jsp and security-audit-viewer.jsp"
},
{
"lang": "es",
"value": "Se detect\u00f3 una vulnerabilidad de tipo XSS Reflejado en Ignite Realtime Openfire versi\u00f3n 4.5.1.\u0026#xa0;La vulnerabilidad de tipo XSS permite a atacantes remotos inyectar script web o HTML arbitrario por medio de la petici\u00f3n GET \"searchName\", \"searchValue\", \"searchDescription\", \"searchDefaultValue\", \"searchPlugin\", \"searchDescription\" y \"searchDynamic\" en los archivos server-properties.jsp y security-audit-viewer.jsp"
}
],
"id": "CVE-2020-24604",
"lastModified": "2024-11-21T05:15:08.300",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-02T15:15:10.457",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24604-ignite-realtime-openfire.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-18 18:29
Modified
2025-04-20 01:37
Severity ?
Summary
OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D85080E0-3D14-40C3-B06D-5092AB8F772D",
"versionEndIncluding": "3.9.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks."
},
{
"lang": "es",
"value": "OpenFire XMPP Server en versiones anteriores a la 3.10 acepta certificados autofirmados, lo que permite que atacantes remotos realicen ataques de spoofing sin especificar."
}
],
"id": "CVE-2014-3451",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-18T18:29:00.217",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/23/16"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/535363/100/1100/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/74305"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/131614/OpenFire-XMPP-3.9.3-Certificate-Handling.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.openwall.com/lists/oss-security/2015/04/23/16"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/535363/100/1100/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/74305"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-02 15:15
Modified
2024-11-21 05:15
Severity ?
Summary
In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted page
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://issues.igniterealtime.org/browse/OF-1963 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.igniterealtime.org/browse/OF-1963 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.5.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7C7E9D2-88C1-45AE-BD6D-237914798E9C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName\", \"alias\" in the import certificate trusted page"
},
{
"lang": "es",
"value": "En Ignite Realtime Openfire versi\u00f3n 4.5.1, una vulnerabilidad de tipo Cross-site Almacenado permite a un atacante ejecutar una URL maliciosa arbitraria por medio del par\u00e1metro POST vulnerable \"searchName\", \"alias\" en la p\u00e1gina import certificate trusted"
}
],
"id": "CVE-2020-24601",
"lastModified": "2024-11-21T05:15:07.943",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-02T15:15:10.317",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24601-ignite-realtime-openfire.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-05-11 14:30
Modified
2025-04-09 00:30
Severity ?
Summary
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65A725C1-F775-4A44-A855-4FB8A8BE77A1",
"versionEndExcluding": "3.6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire antes de v3.6.5 no implementa correctamente la propiedad de configuraci\u00f3n de la consola register.password (alias canChangePassword), lo que permite eludir la pol\u00edtica de seguridad a usuarios remotos autenticados, as\u00ed como cambiar sus propias contrase\u00f1as a trav\u00e9s de un paquete passwd_change IQ."
}
],
"id": "CVE-2009-1596",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2009-05-11T14:30:00.343",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/34984"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Permissions Required",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1532"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/54189"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Exploit",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/34804"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50291"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/34984"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/community/message/190280"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Permissions Required",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1532"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.osvdb.org/54189"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Exploit",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/34804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50291"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-24 11:15
Modified
2024-11-21 04:33
Severity ?
Summary
PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1DE041DC-CCED-4A5A-A954-35BFEF54717B",
"versionEndIncluding": "4.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability."
},
{
"lang": "es",
"value": "El archivo PluginServlet.java en Ignite Realtime Openfire versiones hasta 4.4.2, no garantiza que los archivos recuperados se encuentren en el directorio de inicio de Openfire, tambi\u00e9n se conoce como una vulnerabilidad de salto de directorio."
}
],
"id": "CVE-2019-18393",
"lastModified": "2024-11-21T04:33:11.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-24T11:15:10.513",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1498"
},
{
"source": "cve@mitre.org",
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1498"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://swarm.ptsecurity.com/openfire-admin-console/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-08 17:15
Modified
2024-11-21 04:38
Severity ?
Summary
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/igniterealtime/Openfire/pull/1561 | Third Party Advisory | |
| cve@mitre.org | https://issues.igniterealtime.org/browse/OF-1955 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/igniterealtime/Openfire/pull/1561 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.igniterealtime.org/browse/OF-1955 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.4.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "63BD1DE8-82EB-4630-816E-2659AF24B8CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema de tipo XSS en Ignite Realtime Openfire versi\u00f3n 4.4.4, por medio de isTrustStore en Manage Store Contents."
}
],
"id": "CVE-2019-20366",
"lastModified": "2024-11-21T04:38:19.253",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-08T17:15:11.680",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20366-openfire.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-02 15:15
Modified
2024-11-21 05:15
Severity ?
Summary
Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in the Server Properties and Security Audit Viewer JSP page
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://issues.igniterealtime.org/browse/OF-1963 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.igniterealtime.org/browse/OF-1963 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.5.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C7C7E9D2-88C1-45AE-BD6D-237914798E9C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName\", \"searchValue\", \"searchDescription\", \"searchDefaultValue\",\"searchPlugin\", \"searchDescription\" and \"searchDynamic\" in the Server Properties and Security Audit Viewer JSP page"
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.5.1, presenta una vulnerabilidad de tipo Cross-site scripting reflejado que permite a un atacante ejecutar una URL maliciosa arbitraria por medio del par\u00e1metro GET vulnerable \"searchName\",\"searchValue\",\"searchDescription\",\"searchDefaultValue\",\"searchPlugin\",\"searchDescription\" y \"searchDynamic\" en la p\u00e1gina Server Properties and Security Audit Viewer JSP"
}
],
"id": "CVE-2020-24602",
"lastModified": "2024-11-21T05:15:08.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-02T15:15:10.393",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2020-24602-ignite-realtime-openfire.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1963"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-12 18:15
Modified
2024-11-21 05:26
Severity ?
Summary
Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.exploit-db.com/exploits/49235 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/49235 | Exploit, Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D147E66-BDF7-4567-B2DF-697D4342F5F1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.6.0, presenta una vulnerabilidad de tipo XXS Almacenado en el archivo sql plugins/dbaccess/db-access.jsp"
}
],
"id": "CVE-2020-35202",
"lastModified": "2024-11-21T05:26:57.403",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-12T18:15:11.927",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/49235"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/49235"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D00793A3-209D-4770-A21D-D8186D235D4E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.4.1, permite un ataque de tipo XSS por medio del par\u00e1metro driver del archivo setup/setup-datasource-standard.jsp."
}
],
"id": "CVE-2019-20525",
"lastModified": "2024-11-21T04:38:40.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.803",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-03-23 20:00
Modified
2025-04-09 00:30
Severity ?
Summary
Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * | |
| igniterealtime | openfire | 2.6.0 | |
| igniterealtime | openfire | 2.6.1 | |
| igniterealtime | openfire | 2.6.2 | |
| igniterealtime | openfire | 3.0.0 | |
| igniterealtime | openfire | 3.0.1 | |
| igniterealtime | openfire | 3.1.0 | |
| igniterealtime | openfire | 3.1.1 | |
| igniterealtime | openfire | 3.2.0 | |
| igniterealtime | openfire | 3.2.1 | |
| igniterealtime | openfire | 3.2.2 | |
| igniterealtime | openfire | 3.2.3 | |
| igniterealtime | openfire | 3.2.4 | |
| igniterealtime | openfire | 3.3.0 | |
| igniterealtime | openfire | 3.3.2 | |
| igniterealtime | openfire | 3.3.3 | |
| igniterealtime | openfire | 3.4.0 | |
| igniterealtime | openfire | 3.4.1 | |
| igniterealtime | openfire | 3.4.3 | |
| igniterealtime | openfire | 3.4.4 | |
| igniterealtime | openfire | 3.4.5 | |
| igniterealtime | openfire | 3.5.0 | |
| igniterealtime | openfire | 3.5.1 | |
| igniterealtime | openfire | 3.5.2 | |
| igniterealtime | openfire | 3.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8733075B-1FFE-4A66-A80E-81111A3FC05D",
"versionEndIncluding": "3.6.0a",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20332EC7-FD3C-4118-8FE9-CF8DF62FC2CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "44EE43D4-190A-4188-AB48-34C87FA1CC10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73E425C2-E94D-41A9-A0A7-22498B138E6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B1438E68-1149-49A8-AC38-4D65D19D7B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "57A6F7A2-1AFB-41DB-9C2D-BE0785BAC6A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABD75603-FE40-47CB-9810-F91C983F8732",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E4CC033A-F03B-4486-A27D-042FF0D3AB4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF90E1E8-1635-4A20-9EA1-4BAE1C63EB32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "972DEE02-8707-473D-9BB9-A6A04F4B239C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9819365-ACD9-4801-B277-9B6D2A9CF3BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "70B640A2-A662-4BDC-970E-D71F6C1AC7A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF31BC81-E6B0-4B98-95C1-27C4F163A146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC95549-3BC1-4296-9993-3C917FE895F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "664BCEB5-F38C-4FB2-95B3-E8F88FB8FC29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D5EA88D8-C41E-4CE1-85EB-8A0A23811FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B16CECC-131F-4463-B8CE-101BD597C210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650101D4-7395-4C4E-8862-84CE365259BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A848F149-C5EC-4E1E-B3EB-98066C5AE0EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE2746D5-0081-4065-97D0-2DBF5B8F00AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6B870602-8455-4DDD-8CEE-0A4016714E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE94D0C3-188D-42D1-B868-D32AF4D3432C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B845B1D-DC2D-47F0-A3DF-32AE01DDB6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1F4DD7-1B60-4006-842E-AE286302247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A469BBA3-5DD6-42B5-ABBD-A9342ADC703A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI."
},
{
"lang": "es",
"value": "Una vulnerabilidad de salto de directorio en el filtro AuthCheck de la Consola de administraci\u00f3n de Openfire 3.6.0a y anteriores permite a atacantes remotos eludir el proceso de autenticaci\u00f3n y acceder a la pantalla de administraci\u00f3n a trav\u00e9s de un .. (punto punto) en una URI que coincida con la lista de cadenas excluidas (Exclude-Strings), como lo demuestra una secuencia /setup/setup-/.. en una URI."
}
],
"id": "CVE-2008-6508",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-03-23T20:00:00.203",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://osvdb.org/49663"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/32478"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1489"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46488"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://osvdb.org/49663"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/32478"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.andreas-kurtz.de/archives/63"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.igniterealtime.org/issues/browse/JM-1489"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/32189"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/3061"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46488"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7075"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-18 19:15
Modified
2024-11-21 04:38
Severity ?
Summary
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D00793A3-209D-4770-A21D-D8186D235D4E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.4.1, permite un ataque de tipo XSS por medio del par\u00e1metro username del archivo setup/setup-datasource-standard.jsp."
}
],
"id": "CVE-2019-20528",
"lastModified": "2024-11-21T04:38:40.713",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-18T19:15:17.280",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-03-23 20:00
Modified
2025-04-09 00:30
Severity ?
Summary
Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * | |
| igniterealtime | openfire | 2.6.0 | |
| igniterealtime | openfire | 2.6.1 | |
| igniterealtime | openfire | 2.6.2 | |
| igniterealtime | openfire | 3.0.0 | |
| igniterealtime | openfire | 3.0.1 | |
| igniterealtime | openfire | 3.1.0 | |
| igniterealtime | openfire | 3.1.1 | |
| igniterealtime | openfire | 3.2.0 | |
| igniterealtime | openfire | 3.2.1 | |
| igniterealtime | openfire | 3.2.2 | |
| igniterealtime | openfire | 3.2.3 | |
| igniterealtime | openfire | 3.2.4 | |
| igniterealtime | openfire | 3.3.0 | |
| igniterealtime | openfire | 3.3.2 | |
| igniterealtime | openfire | 3.3.3 | |
| igniterealtime | openfire | 3.4.0 | |
| igniterealtime | openfire | 3.4.1 | |
| igniterealtime | openfire | 3.4.3 | |
| igniterealtime | openfire | 3.4.4 | |
| igniterealtime | openfire | 3.4.5 | |
| igniterealtime | openfire | 3.5.0 | |
| igniterealtime | openfire | 3.5.1 | |
| igniterealtime | openfire | 3.5.2 | |
| igniterealtime | openfire | 3.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8733075B-1FFE-4A66-A80E-81111A3FC05D",
"versionEndIncluding": "3.6.0a",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "20332EC7-FD3C-4118-8FE9-CF8DF62FC2CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "44EE43D4-190A-4188-AB48-34C87FA1CC10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73E425C2-E94D-41A9-A0A7-22498B138E6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B1438E68-1149-49A8-AC38-4D65D19D7B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "57A6F7A2-1AFB-41DB-9C2D-BE0785BAC6A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABD75603-FE40-47CB-9810-F91C983F8732",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E4CC033A-F03B-4486-A27D-042FF0D3AB4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF90E1E8-1635-4A20-9EA1-4BAE1C63EB32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "972DEE02-8707-473D-9BB9-A6A04F4B239C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F9819365-ACD9-4801-B277-9B6D2A9CF3BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "70B640A2-A662-4BDC-970E-D71F6C1AC7A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF31BC81-E6B0-4B98-95C1-27C4F163A146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6DC95549-3BC1-4296-9993-3C917FE895F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "664BCEB5-F38C-4FB2-95B3-E8F88FB8FC29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D5EA88D8-C41E-4CE1-85EB-8A0A23811FB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1B16CECC-131F-4463-B8CE-101BD597C210",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "650101D4-7395-4C4E-8862-84CE365259BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A848F149-C5EC-4E1E-B3EB-98066C5AE0EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "CE2746D5-0081-4065-97D0-2DBF5B8F00AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6B870602-8455-4DDD-8CEE-0A4016714E6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE94D0C3-188D-42D1-B868-D32AF4D3432C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5B845B1D-DC2D-47F0-A3DF-32AE01DDB6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7A1F4DD7-1B60-4006-842E-AE286302247F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A469BBA3-5DD6-42B5-ABBD-A9342ADC703A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de redirecci\u00f3n abierta en login.jsp en Openfire 3.6.0a y anteriores permite a atacantes remotos redirigir a los usuarios a sitios Web arbitrarios y llevar a cabo ataques de phishing a trav\u00e9s del par\u00e1metro URL."
}
],
"id": "CVE-2008-6511",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-03-23T20:00:00.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/7075"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/498162/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/7075"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-08 17:15
Modified
2024-11-21 04:38
Severity ?
Summary
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/igniterealtime/Openfire/pull/1561 | Third Party Advisory | |
| cve@mitre.org | https://issues.igniterealtime.org/browse/OF-1955 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/igniterealtime/Openfire/pull/1561 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.igniterealtime.org/browse/OF-1955 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.4.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "63BD1DE8-82EB-4630-816E-2659AF24B8CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema de tipo XSS en Ignite Realtime Openfire versi\u00f3n 4.4.4, por medio de cacheName en el archivo SystemCacheDetails.jsp."
}
],
"id": "CVE-2019-20364",
"lastModified": "2024-11-21T04:38:18.950",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-08T17:15:11.507",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20364-openfire.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-08 17:15
Modified
2024-11-21 04:38
Severity ?
Summary
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/igniterealtime/Openfire/pull/1561 | Third Party Advisory | |
| cve@mitre.org | https://issues.igniterealtime.org/browse/OF-1955 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/igniterealtime/Openfire/pull/1561 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.igniterealtime.org/browse/OF-1955 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.4.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "63BD1DE8-82EB-4630-816E-2659AF24B8CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema de tipo XSS en Ignite Realtime Openfire versi\u00f3n 4.4.4, por medio de un alias en Manage Store Contents."
}
],
"id": "CVE-2019-20363",
"lastModified": "2024-11-21T04:38:18.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-08T17:15:11.460",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20363-openfire.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-19 18:15
Modified
2024-11-21 04:38
Severity ?
Summary
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D00793A3-209D-4770-A21D-D8186D235D4E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire versi\u00f3n 4.4.1, permite un ataque de tipo XSS por medio del par\u00e1metro password del archivo setup/setup-datasource-standard.jsp."
}
],
"id": "CVE-2019-20526",
"lastModified": "2024-11-21T04:38:40.457",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-19T18:15:15.883",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.netsparker.com/web-applications-advisories/ns-19-015-reflected-cross-site-scripting-in-openfire/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-13 16:29
Modified
2024-11-21 03:43
Severity ?
Summary
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 3.7.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4046511-3960-4C29-A011-D4D83A20DA3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim\u0027s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim\u0027s cookie-based authentication credentials."
},
{
"lang": "es",
"value": "Ignite Realtime Openfire 3.7.1 es vulnerable a las secuencias de comandos entre sitios (XSS) es una causa de una validaci\u00f3n incorrecta de las entradas proporcionadas por el usuario. Un atacante remoto podr\u00eda explotar esta utilidad mediante una URL manipulada para ejecutar scripts en el navegador web de una v\u00edctima en el contexto de la seguridad del sitio Web de hospedaje, una vez que haya hecho clic en la URL. Un atacante podr\u00eda tener esta utilidad para las credenciales de autenticaci\u00f3n basadas en cookies de la v\u00edctima."
}
],
"id": "CVE-2018-11688",
"lastModified": "2024-11-21T03:43:49.573",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-13T16:29:01.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2018/Jun/13"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2018/Jun/24"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/542060/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/148057/Ignite-Realtime-Openfire-3.7.1-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2018/Jun/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2018/Jun/24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/542060/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/igniterealtime/Openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/igniterealtime/Openfire/compare/v3.9.1...v3.9.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-11688"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-03-26 21:15
Modified
2025-05-07 01:20
Severity ?
Summary
An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E895E03-96D2-4F89-A33D-B18C951F6600",
"versionEndIncluding": "4.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component."
},
{
"lang": "es",
"value": "Un problema en Ignite Realtime Openfire v.4.9.0 y anteriores permite a un atacante remoto escalar privilegios a trav\u00e9s del componente de propiedad del sistema admin.authorizedJIDs."
}
],
"id": "CVE-2024-25420",
"lastModified": "2025-05-07T01:20:27.840",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-26T21:15:52.710",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.java"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Release Notes"
],
"url": "https://www.igniterealtime.org/projects/openfire/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/igniterealtime/Openfire/blob/main/xmppserver/src/main/java/org/jivesoftware/openfire/admin/AdminManager.java"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.hackthebox.com/blog/openfire-cves-explained-CVE-2024-25420-CVE-2024-25421"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://www.igniterealtime.org/projects/openfire/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-273"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-08 17:15
Modified
2024-11-21 04:38
Severity ?
Summary
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/igniterealtime/Openfire/pull/1561 | Third Party Advisory | |
| cve@mitre.org | https://issues.igniterealtime.org/browse/OF-1955 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/igniterealtime/Openfire/pull/1561 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.igniterealtime.org/browse/OF-1955 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 4.4.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:4.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "63BD1DE8-82EB-4630-816E-2659AF24B8CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema de tipo XSS en Ignite Realtime Openfire versi\u00f3n 4.4.4, por medio de una b\u00fasqueda en la p\u00e1gina Users/Group search."
}
],
"id": "CVE-2019-20365",
"lastModified": "2024-11-21T04:38:19.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-08T17:15:11.603",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2019-20365-openfire.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/igniterealtime/Openfire/pull/1561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://issues.igniterealtime.org/browse/OF-1955"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-02-10 01:30
Modified
2025-04-09 00:30
Severity ?
Summary
Directory traversal vulnerability in log.jsp in Ignite Realtime Openfire 3.6.2 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the log parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| igniterealtime | openfire | 3.6.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:igniterealtime:openfire:3.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8691783F-7F3C-4264-9030-F89B607C35A4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in log.jsp in Ignite Realtime Openfire 3.6.2 allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the log parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en log.jsp en Ignite Realtime Openfire v3.6.2, permite a atacantes remotos leer ficheros de su elecci\u00f3n a trav\u00e9s de \"..\\\" en el par\u00e1metro \"log\"."
}
],
"id": "CVE-2009-0497",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-02-10T01:30:00.407",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33452"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/web/log.jsp"
},
{
"source": "cve@mitre.org",
"url": "http://www.coresecurity.com/content/openfire-multiple-vulnerabilities"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/499880/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/32945"
},
{
"source": "cve@mitre.org",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=257585"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47806"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33452"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://svn.igniterealtime.org/svn/repos/openfire/trunk/src/web/log.jsp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.coresecurity.com/content/openfire-multiple-vulnerabilities"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/499880/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/32945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=257585"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47806"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
var-201806-0919
Vulnerability from variot
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. IgniteRealtimeOpenfire (formerly Wildfire) is a cross-platform open source real-time collaboration (RTC) server based on XMPP (formerly known as Jabber, instant messaging protocol) developed by Java in the Ignite Realtime community. It can build an efficient instant messaging server and support it. The number of tens of thousands of concurrent users
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201806-0919",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openfire",
"scope": "eq",
"trust": 1.6,
"vendor": "igniterealtime",
"version": "3.7.1"
},
{
"model": "openfire",
"scope": "eq",
"trust": 0.8,
"vendor": "ignite realtime",
"version": "3.7.1"
},
{
"model": "igniterealtime",
"scope": "eq",
"trust": 0.6,
"vendor": "igniterealtime",
"version": "3.7.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-14347"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"db": "CNNVD",
"id": "CNNVD-201806-845"
},
{
"db": "NVD",
"id": "CVE-2018-11688"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:igniterealtime:openfire",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
}
]
},
"cve": "CVE-2018-11688",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2018-11688",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2018-14347",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2018-11688",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-11688",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2018-11688",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2018-14347",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201806-845",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-14347"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"db": "CNNVD",
"id": "CNNVD-201806-845"
},
{
"db": "NVD",
"id": "CVE-2018-11688"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim\u0027s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim\u0027s cookie-based authentication credentials. IgniteRealtimeOpenfire (formerly Wildfire) is a cross-platform open source real-time collaboration (RTC) server based on XMPP (formerly known as Jabber, instant messaging protocol) developed by Java in the Ignite Realtime community. It can build an efficient instant messaging server and support it. The number of tens of thousands of concurrent users",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-11688"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"db": "CNVD",
"id": "CNVD-2018-14347"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-11688",
"trust": 3.0
},
{
"db": "PACKETSTORM",
"id": "148057",
"trust": 2.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006608",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2018-14347",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201806-845",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-14347"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"db": "CNNVD",
"id": "CNNVD-201806-845"
},
{
"db": "NVD",
"id": "CVE-2018-11688"
}
]
},
"id": "VAR-201806-0919",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-14347"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-14347"
}
]
},
"last_update_date": "2024-11-23T22:30:21.646000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Openfire",
"trust": 0.8,
"url": "http://www.igniterealtime.org/projects/openfire/index.jsp"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"db": "NVD",
"id": "CVE-2018-11688"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/148057/ignite-realtime-openfire-3.7.1-cross-site-scripting.html"
},
{
"trust": 1.6,
"url": "http://seclists.org/fulldisclosure/2018/jun/13"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/archive/1/542060/100/0/threaded"
},
{
"trust": 1.6,
"url": "http://seclists.org/fulldisclosure/2018/jun/24"
},
{
"trust": 1.6,
"url": "https://github.com/igniterealtime/openfire/compare/v3.9.1...v3.9.2"
},
{
"trust": 1.6,
"url": "https://vulmon.com/vulnerabilitydetails?qid=cve-2018-11688"
},
{
"trust": 1.6,
"url": "https://github.com/igniterealtime/openfire/commit/ed3492a24274fd454afe93a499db49f3d6335108#diff-3f607cf668ad8f1091e789a2c1dca32a"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11688"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-11688"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-14347"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"db": "CNNVD",
"id": "CNNVD-201806-845"
},
{
"db": "NVD",
"id": "CVE-2018-11688"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-14347"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"db": "CNNVD",
"id": "CNNVD-201806-845"
},
{
"db": "NVD",
"id": "CVE-2018-11688"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-14347"
},
{
"date": "2018-08-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"date": "2018-06-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201806-845"
},
{
"date": "2018-06-13T16:29:01.437000",
"db": "NVD",
"id": "CVE-2018-11688"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-08-01T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-14347"
},
{
"date": "2018-08-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-006608"
},
{
"date": "2019-06-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201806-845"
},
{
"date": "2024-11-21T03:43:49.573000",
"db": "NVD",
"id": "CVE-2018-11688"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201806-845"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ignite Realtime Openfire Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-006608"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201806-845"
}
],
"trust": 0.6
}
}
var-201908-0290
Vulnerability from variot
Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. Ignite Realtime Openfire Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Ignite Realtime Openfire is a cross-platform open source real-time collaboration (RTC) server based on XMPP (formerly known as Jabber, instant messaging protocol) developed by Java in the Ignite Realtime community. It can build an efficient instant messaging server and support tens of thousands. The number of concurrent users
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201908-0290",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openfire",
"scope": "lt",
"trust": 1.0,
"vendor": "igniterealtime",
"version": "4.4.1"
},
{
"model": "openfire",
"scope": "lt",
"trust": 0.8,
"vendor": "ignite realtime",
"version": "4.4.1"
},
{
"model": "realtime openfire",
"scope": "lt",
"trust": 0.6,
"vendor": "ignite",
"version": "4.4.1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29164"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"db": "NVD",
"id": "CVE-2019-15488"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:igniterealtime:openfire",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
}
]
},
"cve": "CVE-2019-15488",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2019-15488",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-29164",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2019-15488",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.8,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-15488",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-15488",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-29164",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201908-1880",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29164"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"db": "CNNVD",
"id": "CNNVD-201908-1880"
},
{
"db": "NVD",
"id": "CVE-2019-15488"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. Ignite Realtime Openfire Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Ignite Realtime Openfire is a cross-platform open source real-time collaboration (RTC) server based on XMPP (formerly known as Jabber, instant messaging protocol) developed by Java in the Ignite Realtime community. It can build an efficient instant messaging server and support tens of thousands. The number of concurrent users",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-15488"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"db": "CNVD",
"id": "CNVD-2019-29164"
}
],
"trust": 2.16
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-15488",
"trust": 3.0
},
{
"db": "JVNDB",
"id": "JVNDB-2019-008246",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-29164",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201908-1880",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29164"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"db": "CNNVD",
"id": "CNNVD-201908-1880"
},
{
"db": "NVD",
"id": "CVE-2019-15488"
}
]
},
"id": "VAR-201908-0290",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29164"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29164"
}
]
},
"last_update_date": "2024-11-23T22:21:33.579000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Comparing changes",
"trust": 0.8,
"url": "https://github.com/igniterealtime/Openfire/compare/cd0a573...5e5d9e5"
},
{
"title": "OF-1192: Fixes Reflected XSS in LDAP Setup test #1441",
"trust": 0.8,
"url": "https://github.com/igniterealtime/Openfire/pull/1441"
},
{
"title": "Patch for Ignite Realtime Openfire Cross-Site Scripting Vulnerability (CNVD-2019-29164)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/177739"
},
{
"title": "Ignite Realtime Openfire Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96939"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29164"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"db": "CNNVD",
"id": "CNNVD-201908-1880"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"db": "NVD",
"id": "CVE-2019-15488"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://github.com/igniterealtime/openfire/pull/1441"
},
{
"trust": 2.2,
"url": "https://github.com/igniterealtime/openfire/compare/cd0a573...5e5d9e5"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-15488"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15488"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-29164"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"db": "CNNVD",
"id": "CNNVD-201908-1880"
},
{
"db": "NVD",
"id": "CVE-2019-15488"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-29164"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"db": "CNNVD",
"id": "CNNVD-201908-1880"
},
{
"db": "NVD",
"id": "CVE-2019-15488"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-29T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29164"
},
{
"date": "2019-08-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"date": "2019-08-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201908-1880"
},
{
"date": "2019-08-23T13:15:11.390000",
"db": "NVD",
"id": "CVE-2019-15488"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-08-29T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-29164"
},
{
"date": "2019-08-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-008246"
},
{
"date": "2019-08-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201908-1880"
},
{
"date": "2024-11-21T04:28:51.170000",
"db": "NVD",
"id": "CVE-2019-15488"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201908-1880"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ignite Realtime Openfire Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-008246"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201908-1880"
}
],
"trust": 0.6
}
}