GHSA-WX2W-8PQW-VP4G Ignite Realtime Openfire allows Cross-site Scripting

Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter. This issue was fixed in version 4.4.2...

GHSA-MFJW-X4Q4-69P9 Ignite Realtime Openfire vulnerable to Server Side Request Forgery

A Server Side Request Forgery SSRF vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. The issue is fixed in version 4.5.0-beta...

Ignite Realtime Openfire directory traversal vulnerability

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. Version 4.5.0-beta contains a fix for the issue...

GHSA-59H8-H34R-Q9CV Ignite Realtime Openfire directory traversal vulnerability

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. Version 4.5.0-beta contains a fix for the issue...

Ignite Realtime Openfire vulnerable to Server Side Request Forgery

A Server Side Request Forgery SSRF vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. The issue is fixed in version 4.5.0-beta...

GHSA-J5QH-CP3P-2H87 Ignite Realtime Openfire vulnerable to XMPPbomb attack

nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service resource consumption via a crafted XMPP stream, aka an "xmppbomb" attack...

Ignite Realtime Openfire vulnerable to XMPPbomb attack

nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service resource consumption via a crafted XMPP stream, aka an "xmppbomb" attack...

GHSA-V3H2-4J2R-WQJ8 Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protection...

GHSA-JPHJ-5G3M-W7X6 Ignite Realtime Openfire vulnerable to cross-site scripting

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site,...

Ignite Realtime Openfire vulnerable to cross-site scripting

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site,...

Ignite Realtime Openfire Allows Users to Change Passwords of Arbitrary Accounts

The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwdchange action...

GHSA-R62W-X9PP-JRQP Ignite Realtime Openfire Allows Users to Change Passwords of Arbitrary Accounts

The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwdchange action...

GHSA-X337-43MR-GG3H Ignite Realtime Openfire allows remote authenticated users to cause a denial of service

ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service daemon outage by triggering large outgoing queues without reading messages...

Ignite Realtime Openfire allows remote authenticated users to cause a denial of service

ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service daemon outage by triggering large outgoing queues without reading messages...

Openfire < 4.5.5, 4.6.x < 4.6.6 Multiple Log4j Vulnerabilities (Log4Shell)

Openfire is prone to multiple vulnerabilities in the Apache Log4j library. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

'//WEB-INF/' Information Disclosure Vulnerability (HTTP)

Various application or web servers / products are prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...

Cross-site Scripting (XSS) - Generic in igniterealtime/openfire-bookmarks-plugin

Description openfire-bookmarks-plugin is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce 1. Download openfire and install https://www.igniterealtime.org/downloads/ 2. Run the server http://localhost:9090/index.jsp 3. Click on "Plugins" http://localhost:9090/plugin-admin.jsp and install...

Openfire <= 4.6.4 Multiple XSS Vulnerabilities

Openfire is prone to multiple cross-site scripting XSS vulnerabilities. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Ignite Realtime Openfire Cross-Site Scripting Vulnerability (CNVD-2021-09925)

Ignite Realtime Openfire is a real-time collaboration RTC server licensed under the open source Apache license. Ignite Realtime Openfire 4.6.0 suffers from a create-bookmark.jsp groupchatJID stored cross-site scripting vulnerability. An attacker can exploit this vulnerability to steal sensitive...

CVE-2020-35201

Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS...