260 matches found
Ignite Realtime Openfire vulnerable to Server Side Request Forgery
A Server Side Request Forgery SSRF vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. The issue is fixed in version 4.5.0-beta...
Ignite Realtime Openfire vulnerable to XMPPbomb attack
nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service resource consumption via a crafted XMPP stream, aka an "xmppbomb" attack...
GHSA-J5QH-CP3P-2H87 Ignite Realtime Openfire vulnerable to XMPPbomb attack
nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service resource consumption via a crafted XMPP stream, aka an "xmppbomb" attack...
GHSA-V3H2-4J2R-WQJ8 Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protection...
Ignite Realtime Openfire vulnerable to cross-site scripting
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site,...
Ignite Realtime Openfire Allows Users to Change Passwords of Arbitrary Accounts
The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwdchange action...
GHSA-R62W-X9PP-JRQP Ignite Realtime Openfire Allows Users to Change Passwords of Arbitrary Accounts
The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwdchange action...
GHSA-X337-43MR-GG3H Ignite Realtime Openfire allows remote authenticated users to cause a denial of service
ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service daemon outage by triggering large outgoing queues without reading messages...
Ignite Realtime Openfire allows remote authenticated users to cause a denial of service
ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service daemon outage by triggering large outgoing queues without reading messages...
'//WEB-INF/' Information Disclosure Vulnerability (HTTP)
Various application or web servers / products are prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...
Ignite Realtime Openfire Cross-Site Scripting Vulnerability (CNVD-2021-09925)
Ignite Realtime Openfire is a real-time collaboration RTC server licensed under the open source Apache license. Ignite Realtime Openfire 4.6.0 suffers from a create-bookmark.jsp groupchatJID stored cross-site scripting vulnerability. An attacker can exploit this vulnerability to steal sensitive...
CVE-2020-35201
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS...
CVE-2020-35200
Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS...
CVE-2020-35202
Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS...
CVE-2020-35201
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS...
CVE-2020-35200
Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS...
CVE-2020-35202
Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS...
CVE-2020-35199
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS...
CVE-2020-35199
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS...
Cross site scripting
Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS...