Lucene search
K
IgniterealtimeOpenfire

37 matches found

CVE
CVE
added 2022/03/18 5:0 a.m.1755 views

CVE-2021-45967

Pascom Cloud Phone System before 7.20.x is affected by a path traversal vulnerability caused by a configuration mismatch between NGINX and the backend Tomcat, exposing unintended endpoints. Multiple connected sources corroborate a pre-7.20.x issue with path traversal (and related exposure). Remed...

9.8CVSS9.3AI score0.208EPSS
In wild
CVE
CVE
added 2023/05/26 10:33 p.m.653 views

CVE-2023-32315

Openfire (Ignite Realtime) is affected by a path traversal vulnerability in the web-based Admin Console exposed via the unauthenticated Setup Environment, permitting access to admin pages in an already configured Openfire instance. Affected versions are Openfire releases since April 2015 starting...

8.6CVSS8.2AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2019/10/24 10:58 a.m.248 views

CVE-2019-18394

Ignite Realtime Openfire before version 4.4.3 is affected by a Server-Side Request Forgery (SSRF) in FaviconServlet.java, allowing attackers to send arbitrary HTTP GET requests. The vulnerability affects Openfire up to 4.4.2; exploitation is facilitated by the SSRF flaw in the FaviconServlet. Rem...

9.8CVSS8.5AI score0.32304EPSS
In wild
CVE
CVE
added 2009/03/23 7:26 p.m.211 views

CVE-2008-6508

Openfire Openfire Admin Console is affected by a directory traversal (path traversal) vulnerability (CVE-2008-6508) in the AuthCheck filter, enabling remote attackers to bypass authentication and access the admin interface via a .. sequence in a URI that matches the Exclude-Strings list. Affected...

7.5CVSS7.4AI score0.83382EPSS
In wildWeb
CVE
CVE
added 2009/05/11 2:2 p.m.145 views

CVE-2009-1595

The CVE-2009-1595 issue affects Ignite Realtime Openfire, where the jabber:iq:auth implementation in IQAuthHandler.java on versions before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts by modifying the username element in a passwd_change action. This enable...

4CVSS6AI score0.02228EPSS
CVE
CVE
added 2019/10/24 10:58 a.m.109 views

CVE-2019-18393

Openfire

5.3CVSS5.5AI score0.13945EPSS
In wild
CVE
CVE
added 2020/03/18 6:36 p.m.104 views

CVE-2019-20528

The CVE-2019-20528 entry concerns Ignite Realtime Openfire 4.4.1, where a cross-site scripting (XSS) vulnerability can be triggered through the username parameter in the setup/setup-datasource-standard.jsp page. This is caused by improper input handling in the web application, enabling an attacke...

6.1CVSS5.9AI score0.00906EPSS
Web
CVE
CVE
added 2020/03/19 5:56 p.m.87 views

CVE-2019-20526

Affected software: Ignite Realtime Openfire 4.4.1. Vulnerability: Cross-site scripting (XSS) via the password parameter in setup/setup-datasource-standard.jsp. Root cause: Parameter handling vulnerability that allows injected script in the login/config setup flow. Impact: XSS could affect users i...

6.1CVSS6AI score0.00906EPSS
Web
CVE
CVE
added 2024/03/26 12:0 a.m.86 views

CVE-2024-25421

CVE-2024-25421 affects Ignite Realtime Openfire (v4.9.0 and earlier) and enables privilege escalation via the ROOM_CACHE component. The root cause is insufficient validation/management of privileges within ROOM_CACHE, allowing a remote attacker to elevate privileges without user interaction. The ...

9.8CVSS7AI score0.0165EPSS
CVE
CVE
added 2018/06/13 4:0 p.m.84 views

CVE-2018-11688

CVE-2018-11688 affects Ignite Realtime Openfire prior to 3.9.2. The vulnerability is a cross-site scripting (XSS) flaw caused by improper validation of user-supplied input, enabling a remote attacker to craft a URL that, when clicked, executes script in the victim’s browser within the site’s secu...

6.1CVSS6.2AI score0.0242EPSS
CVE
CVE
added 2020/12/11 4:5 a.m.79 views

CVE-2020-35127

CVE-2020-35127 affects Ignite Realtime Openfire 4.6.0 with a stored XSS in the bookmarks plugin, specifically in create-bookmark.jsp. The vulnerability arises from the bookmarks/create-bookmark.jsp handling potentially unsanitized input, enabling an attacker to inject scripts that may execute in ...

5.4CVSS5.6AI score0.00566EPSS
CVE
CVE
added 2024/03/26 12:0 a.m.75 views

CVE-2024-25420

Analyzed CVE-2024-25420 with connected sources: Ignite Realtime Openfire up to version 4.8.1 is affected by a privilege-escalation flaw due to improper handling of the admin.authorizedJIDs system property. Red Hat entries for CVE-2024-25420 corroborate the remote attack vector, enabling an attack...

7.2CVSS7.5AI score0.01431EPSS
CVE
CVE
added 2020/03/19 5:56 p.m.74 views

CVE-2019-20525

CVE-2019-20525 affects Ignite Realtime Openfire 4.4.1, which is vulnerable to cross-site scripting via the setup/setup-datasource-standard.jsp driver parameter. The issue’s root cause is an XSS vector in that parameter handling. A fix exists in Openfire 4.4.2, per multiple advisories (including G...

6.1CVSS5.9AI score0.00906EPSS
Web
CVE
CVE
added 2020/03/19 1:51 p.m.74 views

CVE-2019-20527

Summary: Openfire 4.4.1 is affected by a cross-site scripting vulnerability driven by the serverURL parameter in setup/datasource-standard.jsp. The issue allows an attacker to inject and execute client-side scripts in the context of an Openfire Web UI session. The root cause is insufficient valid...

6.1CVSS5.9AI score0.00906EPSS
Web
CVE
CVE
added 2019/08/23 12:37 p.m.71 views

CVE-2019-15488

CVE-2019-15488 affects Ignite Realtime Openfire before 4.4.1, where the LDAP setup test endpoint processes input in a way that allows a reflected XSS payload. The issue is described as a reflected XSS via the LDAP setup test in multiple sources (Openfire, Red Hat advisory, OSV, etc.). No explicit...

6.1CVSS5.9AI score0.00905EPSS
CVE
CVE
added 2020/09/02 2:41 p.m.68 views

CVE-2020-24601

CVE-2020-24601 affects Ignite Realtime Openfire 4.5.1. A stored cross-site scripting vulnerability exists where a POST parameter in the import certificate trusted page (searchName, alias) can be used to execute an arbitrary malicious URL. The connected PT-2020-15761 advisory notes there is no inf...

6.1CVSS6.2AI score0.0062EPSS
CVE
CVE
added 2009/03/23 7:26 p.m.67 views

CVE-2008-6510

CVE-2008-6510 is an XSS vulnerability in Openfire’s Admin Console login.jsp (Openfire, = net-im/openfire-3.6.3 to remediate. The connected documents do not provide details on exploitation in the wild.

4.3CVSS5.5AI score0.01776EPSS
CVE
CVE
added 2020/12/12 5:20 p.m.67 views

CVE-2020-35201

CVE-2020-35201 affects Ignite Realtime Openfire 4.6.0, with a Stored XSS in the create-bookmark.jsp page affecting users. The connected documents confirm the affected product/version and the vulnerability class; no concrete patch/version fix is stated. An exploit-db entry is linked, suggesting ex...

5.4CVSS5.6AI score0.00731EPSS
CVE
CVE
added 2009/03/23 7:26 p.m.61 views

CVE-2008-6509

CVE-2008-6509 concerns Openfire (Jive Software) Openfire server. It is an SQL injection in the SIP plugin’s sipark-log-summary.jsp where the unsanitized input for the type parameter is used to build SQL statements. A remote attacker could execute arbitrary SQL via the type parameter, potentially ...

7.5CVSS8.2AI score0.02011EPSS
CVE
CVE
added 2009/05/11 2:2 p.m.61 views

CVE-2009-1596

CVE-2009-1596 affects Ignite Realtime Openfire prior to 3.6.5. The register.password (canChangePassword) console setting is not properly enforced, allowing remote authenticated users to bypass the intended policy and change their own passwords via a passwd_change IQ packet. The vulnerability enab...

6.5CVSS6AI score0.012EPSS
CVE
CVE
added 2017/10/26 5:0 p.m.61 views

CVE-2017-15911

The CVE-2017-15911 entry concerns Ignite Realtime Openfire Server prior to 4.1.7, where the Admin Console is vulnerable to cross-site scripting (XSS) via a crafted setup/setup-host-settings.jsp?domain= link. This allows arbitrary client-side JavaScript execution on victims after login, with poten...

4.8CVSS5.6AI score0.00728EPSS
Web
CVE
CVE
added 2020/12/12 5:20 p.m.61 views

CVE-2020-35202

CVE-2020-35202 affects Ignite Realtime Openfire 4.6.0, with a Stored XSS vulnerability in the db-access.jsp file of the dbaccess plugin. The issue is triggered through SQL handling in that component, enabling script injection under the described conditions. Connected sources corroborate Openfire ...

5.4CVSS5.6AI score0.00731EPSS
CVE
CVE
added 2009/03/23 7:26 p.m.60 views

CVE-2008-6511

Openfire is affected by CVE-2008-6511: an open redirect in login.jsp affects Openfire 3.6.0a and earlier, allowing remote attackers to redirect users to arbitrary sites and facilitate phishing via the url parameter. The issue is part of a set of vulnerabilities; remediation per Gentoo GLSA 200904...

5.8CVSS6.5AI score0.01829EPSS
CVE
CVE
added 2020/01/08 4:26 p.m.59 views

CVE-2019-20366

CVE-2019-20366: Ignite Realtime Openfire 4.4.4 contains an XSS vulnerability exploitable via isTrustStore to Manage Store Contents. The connected Red Hat, OSV, OSV-GHSA, and CVE listings corroborate an XSS issue affecting Openfire’s management UI. The public documents do not specify root-cause de...

6.1CVSS5.9AI score0.01265EPSS
CVE
CVE
added 2020/12/12 5:20 p.m.58 views

CVE-2020-35199

Openfire 4.6.0 from Ignite Realtime contains a Stored XSS in create-bookmark.jsp with the groupchatJID parameter. Descriptions across sources indicate exploitation could enable credential theft (stored XSS risk). No official patch/version is specified in the provided documents. Some advisories su...

5.4CVSS5.6AI score0.0061EPSS
CVE
CVE
added 2017/08/18 6:0 p.m.57 views

CVE-2014-3451

OpenFire XMPP Server prior to 3.10 is affected by CVE-2014-3451 due to incorrect handling of self-signed certificates, allowing potential spoofing. The root cause is improper certificate validation for self-signed certificates. The vulnerability is addressed in the 3.10 release (OF-405). No explo...

7.5CVSS7.5AI score0.01767EPSS
CVE
CVE
added 2020/12/12 5:20 p.m.56 views

CVE-2020-35200

CVE-2020-35200 affects Ignite Realtime Openfire 4.6.0, specifically the plugin file plugins/clientcontrol/spark-form.jsp, with a Reflective XSS flaw. The connected sources confirm the vulnerability in this exact component and version; exploitation status or in-the-wild details are not provided. M...

6.1CVSS6.3AI score0.00902EPSS
CVE
CVE
added 2014/04/11 1:0 a.m.55 views

CVE-2014-2741

Openfire before 3.9.2 is affected by a denial-of-service due to improper restriction in nio/XMLLightweightParser.java when processing compressed XML in XMPP streams (xmppbomb). Exploitation can exhaust resources on the server via crafted XMPP traffic. The issue is fixed in Openfire 3.9.2 and late...

7.8CVSS6.1AI score0.03774EPSS
CVE
CVE
added 2009/02/10 1:0 a.m.54 views

CVE-2009-0497

CVE-2009-0497 is an Openfire vulnerability (Openfire 3.6.2 and affected builds) where the log.jsp component fails to validate the log parameter, allowing a remote attacker to perform a directory traversal (via ..) and read arbitrary files on the server. The issue is caused by improper input valid...

5CVSS6.4AI score0.08125EPSS
CVE
CVE
added 2015/09/16 7:0 p.m.54 views

CVE-2015-6972

CVE-2015-6972 relates to multiple XSS vulnerabilities in Ignite Realtime Openfire 3.10.2. The issues arise from insufficient validation/filtering of inputs in several pages: group-summary.jsp (search parameter), plugins/clientcontrol/create-bookmark.jsp (groupchatName and urlName), and server-ses...

4.3CVSS4.6AI score0.07998EPSS
Web
CVE
CVE
added 2020/01/08 4:27 p.m.54 views

CVE-2019-20364

Ignite Realtime Openfire 4.4.4 is affected by CVE-2019-20364, an XSS vulnerability exploitable via the cacheName parameter in SystemCacheDetails.jsp. The issue originates from Openfire’s web component validating client-side data, allowing potentially crafted input to execute in a user’s browser. ...

6.1CVSS5.9AI score0.01172EPSS
CVE
CVE
added 2015/09/16 7:0 p.m.52 views

CVE-2015-6973

Openfire (Ignite Realtime) 3.10.2 is affected by CVE-2015-6973 (and related CVEs) due to insufficient CSRF protections. Multiple CSRF vulnerabilities allow remote attackers to hijack administrator sessions by issuing crafted requests to JSPs such as user-password.jsp, user-create.jsp, server-prop...

6.8CVSS7.2AI score0.64818EPSS
Web
CVE
CVE
added 2015/10/05 3:0 p.m.50 views

CVE-2015-7707

Openfire 3.10.2 is affected by CVE-2015-7707, where remote authenticated users can gain administrator access via the isadmin parameter in user-edit-form.jsp. This is part of a set of linked issues (CVE-2015-6972/6973/7707) that also include CSRF and XSS vulnerabilities, enabling privilege escalat...

6.5CVSS6.5AI score0.06029EPSS
Web
CVE
CVE
added 2020/09/02 2:37 p.m.49 views

CVE-2020-24602

Openfire 4.5.1 is affected by a reflected XSS in the Server Properties and Security Audit Viewer JSP page. The vulnerability allows an attacker to trigger arbitrary URL execution by manipulating the vulnerable GET parameters: searchName, searchValue, searchDescription, searchDefaultValue, searchP...

6.1CVSS6.3AI score0.01012EPSS
CVE
CVE
added 2020/01/08 4:27 p.m.48 views

CVE-2019-20363

Openfire 4.4.4 from Ignite Realtime has a cross-site scripting (XSS) vulnerability exposed via an alias to Manage Store Contents. The connected documents confirm the issue but do not provide detailed root-cause, exploit paths, affected components beyond the web interface, or a published fix. No r...

6.1CVSS5.9AI score0.01411EPSS
CVE
CVE
added 2020/01/08 4:27 p.m.46 views

CVE-2019-20365

The connected records confirm a cross-site scripting (XSS) vulnerability in Ignite Realtime Openfire 4.4.4, exploitable via the Users/Group search page. No public details in these documents specify the root cause beyond it being an XSS issue, or provide patch/version remediation. Other sources re...

6.1CVSS5.9AI score0.01172EPSS
CVE
CVE
added 2020/09/02 2:40 p.m.42 views

CVE-2020-24604

CVE-2020-24604 describes a reflected XSS in Ignite Realtime Openfire 4.5.1. The vulnerability allows remote attackers to inject arbitrary web script or HTML via GET parameters in the pages server-properties.jsp and security-audit-viewer.jsp (parameters include searchName, searchValue, searchDescr...

6.1CVSS5.9AI score0.01169EPSS