37 matches found
CVE-2021-45967
Pascom Cloud Phone System before 7.20.x is affected by a path traversal vulnerability caused by a configuration mismatch between NGINX and the backend Tomcat, exposing unintended endpoints. Multiple connected sources corroborate a pre-7.20.x issue with path traversal (and related exposure). Remed...
CVE-2023-32315
Openfire (Ignite Realtime) is affected by a path traversal vulnerability in the web-based Admin Console exposed via the unauthenticated Setup Environment, permitting access to admin pages in an already configured Openfire instance. Affected versions are Openfire releases since April 2015 starting...
CVE-2019-18394
Ignite Realtime Openfire before version 4.4.3 is affected by a Server-Side Request Forgery (SSRF) in FaviconServlet.java, allowing attackers to send arbitrary HTTP GET requests. The vulnerability affects Openfire up to 4.4.2; exploitation is facilitated by the SSRF flaw in the FaviconServlet. Rem...
CVE-2008-6508
Openfire Openfire Admin Console is affected by a directory traversal (path traversal) vulnerability (CVE-2008-6508) in the AuthCheck filter, enabling remote attackers to bypass authentication and access the admin interface via a .. sequence in a URI that matches the Exclude-Strings list. Affected...
CVE-2009-1595
The CVE-2009-1595 issue affects Ignite Realtime Openfire, where the jabber:iq:auth implementation in IQAuthHandler.java on versions before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts by modifying the username element in a passwd_change action. This enable...
CVE-2019-18393
Openfire
CVE-2019-20528
The CVE-2019-20528 entry concerns Ignite Realtime Openfire 4.4.1, where a cross-site scripting (XSS) vulnerability can be triggered through the username parameter in the setup/setup-datasource-standard.jsp page. This is caused by improper input handling in the web application, enabling an attacke...
CVE-2019-20526
Affected software: Ignite Realtime Openfire 4.4.1. Vulnerability: Cross-site scripting (XSS) via the password parameter in setup/setup-datasource-standard.jsp. Root cause: Parameter handling vulnerability that allows injected script in the login/config setup flow. Impact: XSS could affect users i...
CVE-2024-25421
CVE-2024-25421 affects Ignite Realtime Openfire (v4.9.0 and earlier) and enables privilege escalation via the ROOM_CACHE component. The root cause is insufficient validation/management of privileges within ROOM_CACHE, allowing a remote attacker to elevate privileges without user interaction. The ...
CVE-2018-11688
CVE-2018-11688 affects Ignite Realtime Openfire prior to 3.9.2. The vulnerability is a cross-site scripting (XSS) flaw caused by improper validation of user-supplied input, enabling a remote attacker to craft a URL that, when clicked, executes script in the victim’s browser within the site’s secu...
CVE-2020-35127
CVE-2020-35127 affects Ignite Realtime Openfire 4.6.0 with a stored XSS in the bookmarks plugin, specifically in create-bookmark.jsp. The vulnerability arises from the bookmarks/create-bookmark.jsp handling potentially unsanitized input, enabling an attacker to inject scripts that may execute in ...
CVE-2024-25420
Analyzed CVE-2024-25420 with connected sources: Ignite Realtime Openfire up to version 4.8.1 is affected by a privilege-escalation flaw due to improper handling of the admin.authorizedJIDs system property. Red Hat entries for CVE-2024-25420 corroborate the remote attack vector, enabling an attack...
CVE-2019-20525
CVE-2019-20525 affects Ignite Realtime Openfire 4.4.1, which is vulnerable to cross-site scripting via the setup/setup-datasource-standard.jsp driver parameter. The issue’s root cause is an XSS vector in that parameter handling. A fix exists in Openfire 4.4.2, per multiple advisories (including G...
CVE-2019-20527
Summary: Openfire 4.4.1 is affected by a cross-site scripting vulnerability driven by the serverURL parameter in setup/datasource-standard.jsp. The issue allows an attacker to inject and execute client-side scripts in the context of an Openfire Web UI session. The root cause is insufficient valid...
CVE-2019-15488
CVE-2019-15488 affects Ignite Realtime Openfire before 4.4.1, where the LDAP setup test endpoint processes input in a way that allows a reflected XSS payload. The issue is described as a reflected XSS via the LDAP setup test in multiple sources (Openfire, Red Hat advisory, OSV, etc.). No explicit...
CVE-2020-24601
CVE-2020-24601 affects Ignite Realtime Openfire 4.5.1. A stored cross-site scripting vulnerability exists where a POST parameter in the import certificate trusted page (searchName, alias) can be used to execute an arbitrary malicious URL. The connected PT-2020-15761 advisory notes there is no inf...
CVE-2008-6510
CVE-2008-6510 is an XSS vulnerability in Openfire’s Admin Console login.jsp (Openfire, = net-im/openfire-3.6.3 to remediate. The connected documents do not provide details on exploitation in the wild.
CVE-2020-35201
CVE-2020-35201 affects Ignite Realtime Openfire 4.6.0, with a Stored XSS in the create-bookmark.jsp page affecting users. The connected documents confirm the affected product/version and the vulnerability class; no concrete patch/version fix is stated. An exploit-db entry is linked, suggesting ex...
CVE-2008-6509
CVE-2008-6509 concerns Openfire (Jive Software) Openfire server. It is an SQL injection in the SIP plugin’s sipark-log-summary.jsp where the unsanitized input for the type parameter is used to build SQL statements. A remote attacker could execute arbitrary SQL via the type parameter, potentially ...
CVE-2009-1596
CVE-2009-1596 affects Ignite Realtime Openfire prior to 3.6.5. The register.password (canChangePassword) console setting is not properly enforced, allowing remote authenticated users to bypass the intended policy and change their own passwords via a passwd_change IQ packet. The vulnerability enab...
CVE-2017-15911
The CVE-2017-15911 entry concerns Ignite Realtime Openfire Server prior to 4.1.7, where the Admin Console is vulnerable to cross-site scripting (XSS) via a crafted setup/setup-host-settings.jsp?domain= link. This allows arbitrary client-side JavaScript execution on victims after login, with poten...
CVE-2020-35202
CVE-2020-35202 affects Ignite Realtime Openfire 4.6.0, with a Stored XSS vulnerability in the db-access.jsp file of the dbaccess plugin. The issue is triggered through SQL handling in that component, enabling script injection under the described conditions. Connected sources corroborate Openfire ...
CVE-2008-6511
Openfire is affected by CVE-2008-6511: an open redirect in login.jsp affects Openfire 3.6.0a and earlier, allowing remote attackers to redirect users to arbitrary sites and facilitate phishing via the url parameter. The issue is part of a set of vulnerabilities; remediation per Gentoo GLSA 200904...
CVE-2019-20366
CVE-2019-20366: Ignite Realtime Openfire 4.4.4 contains an XSS vulnerability exploitable via isTrustStore to Manage Store Contents. The connected Red Hat, OSV, OSV-GHSA, and CVE listings corroborate an XSS issue affecting Openfire’s management UI. The public documents do not specify root-cause de...
CVE-2020-35199
Openfire 4.6.0 from Ignite Realtime contains a Stored XSS in create-bookmark.jsp with the groupchatJID parameter. Descriptions across sources indicate exploitation could enable credential theft (stored XSS risk). No official patch/version is specified in the provided documents. Some advisories su...
CVE-2014-3451
OpenFire XMPP Server prior to 3.10 is affected by CVE-2014-3451 due to incorrect handling of self-signed certificates, allowing potential spoofing. The root cause is improper certificate validation for self-signed certificates. The vulnerability is addressed in the 3.10 release (OF-405). No explo...
CVE-2020-35200
CVE-2020-35200 affects Ignite Realtime Openfire 4.6.0, specifically the plugin file plugins/clientcontrol/spark-form.jsp, with a Reflective XSS flaw. The connected sources confirm the vulnerability in this exact component and version; exploitation status or in-the-wild details are not provided. M...
CVE-2014-2741
Openfire before 3.9.2 is affected by a denial-of-service due to improper restriction in nio/XMLLightweightParser.java when processing compressed XML in XMPP streams (xmppbomb). Exploitation can exhaust resources on the server via crafted XMPP traffic. The issue is fixed in Openfire 3.9.2 and late...
CVE-2009-0497
CVE-2009-0497 is an Openfire vulnerability (Openfire 3.6.2 and affected builds) where the log.jsp component fails to validate the log parameter, allowing a remote attacker to perform a directory traversal (via ..) and read arbitrary files on the server. The issue is caused by improper input valid...
CVE-2015-6972
CVE-2015-6972 relates to multiple XSS vulnerabilities in Ignite Realtime Openfire 3.10.2. The issues arise from insufficient validation/filtering of inputs in several pages: group-summary.jsp (search parameter), plugins/clientcontrol/create-bookmark.jsp (groupchatName and urlName), and server-ses...
CVE-2019-20364
Ignite Realtime Openfire 4.4.4 is affected by CVE-2019-20364, an XSS vulnerability exploitable via the cacheName parameter in SystemCacheDetails.jsp. The issue originates from Openfire’s web component validating client-side data, allowing potentially crafted input to execute in a user’s browser. ...
CVE-2015-6973
Openfire (Ignite Realtime) 3.10.2 is affected by CVE-2015-6973 (and related CVEs) due to insufficient CSRF protections. Multiple CSRF vulnerabilities allow remote attackers to hijack administrator sessions by issuing crafted requests to JSPs such as user-password.jsp, user-create.jsp, server-prop...
CVE-2015-7707
Openfire 3.10.2 is affected by CVE-2015-7707, where remote authenticated users can gain administrator access via the isadmin parameter in user-edit-form.jsp. This is part of a set of linked issues (CVE-2015-6972/6973/7707) that also include CSRF and XSS vulnerabilities, enabling privilege escalat...
CVE-2020-24602
Openfire 4.5.1 is affected by a reflected XSS in the Server Properties and Security Audit Viewer JSP page. The vulnerability allows an attacker to trigger arbitrary URL execution by manipulating the vulnerable GET parameters: searchName, searchValue, searchDescription, searchDefaultValue, searchP...
CVE-2019-20363
Openfire 4.4.4 from Ignite Realtime has a cross-site scripting (XSS) vulnerability exposed via an alias to Manage Store Contents. The connected documents confirm the issue but do not provide detailed root-cause, exploit paths, affected components beyond the web interface, or a published fix. No r...
CVE-2019-20365
The connected records confirm a cross-site scripting (XSS) vulnerability in Ignite Realtime Openfire 4.4.4, exploitable via the Users/Group search page. No public details in these documents specify the root cause beyond it being an XSS issue, or provide patch/version remediation. Other sources re...
CVE-2020-24604
CVE-2020-24604 describes a reflected XSS in Ignite Realtime Openfire 4.5.1. The vulnerability allows remote attackers to inject arbitrary web script or HTML via GET parameters in the pages server-properties.jsp and security-audit-viewer.jsp (parameters include searchName, searchValue, searchDescr...