8 matches found
CVE-2010-0305
CVE-2010-0305 affects ejabberd prior to 2.1.3, where ejabberd_c2s.erl can be triggered by a large number of client-to-server (c2s) messages to overload the server queue, causing a denial of service (daemon crash). The vulnerability is network-exploitable with low attack complexity and no authenti...
CVE-2009-0934
CVE-2009-0934 describes a cross-site scripting (XSS) vulnerability in ejabberd up to version 2.0.4, where remote attackers could inject arbitrary web script or HTML via unknown vectors related to links and MUC logs. Public advisories confirm the issue as remote and require upgrading to a fixed re...
CVE-2011-1753
CVE-2011-1753 affects ejabberd prior to 2.1.7 and 3.x prior to 3.0.0-alpha-3, and exmpp prior to 0.9.7. The issue is improper detection of recursion during XML entity expansion, enabling a remote attacker to induce memory and CPU exhaustion (DoS) through a crafted XML document with a large number...
CVE-2007-0903
The vulnerability concerns the ejabberd server, specifically the mod_roster_odbc module, with affected versions listed as before 1.1.3. The connected records indicate an unspecified vulnerability with unknown impact and attack vectors; no concrete root cause or exploitation details are provided i...
CVE-2006-2221
The CVE-2006-2221 entry describes a vulnerability in a third-party installer generator tool (likely BitRock InstallBuilder) used by products such as Process-one ejabberd 1.1.1_1 and earlier. The issue enables a local denial of service via a symlink attack on the temporary bitrock_installer.log fi...
CVE-2011-4320
The CVE-2011-4320 issue affects the mod_pubsub module (mod_pubsub.erl) in ejabberd 2.1.8 and 3.0.0-alpha-3. An unauthenticated? or remote authenticated user can trigger a denial of service by sending a publish stanza without a node attribute, causing an infinite loop. The root cause is input vali...
CVE-2013-6169
CVE-2013-6169 affects ejabberd: the TLS driver in ejabberd before 2.1.12 accepts SSLv2 and weak ciphers, enabling remote attackers to obtain sensitive information via brute-force. Affected product: ejabberd (pre-2.1.12). Impact: potential exposure of sensitive data; integrity and confidentiality ...
CVE-2014-8760
CVE-2014-8760 affects ejabberd prior to 2.1.13, where the starttls_required setting is not enforced when compression is used, allowing connections to be established without encryption. Public disclosures/ advisories (Debian DLA-881-1, Mandriva MDVSA entries, Mageia advisory) document the issue an...