Unrated severityNVD Advisory· Published Jun 1, 2007· Updated Apr 23, 2026

CVE-2007-2975

Description

The admin console in Ignite Realtime Openfire 3.3.0 and earlier (formerly Wildfire) does not properly specify a filter mapping in web.xml, which allows remote attackers to gain privileges and execute arbitrary code by accessing functionality that is exposed through DWR, as demonstrated using the downloader.

Affected products

Igniterealtime/Openfire13 versions
cpe:2.3:a:ignite_realtime:openfire:*:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:ignite_realtime:openfire:*:*:*:*:*:*:*:*range: <=3.3.0
- cpe:2.3:a:ignite_realtime:openfire:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:ignite_realtime:openfire:3.2.4:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.igniterealtime.org/issues/browse/JM-1049nvdPatchVendor Advisory
www.securityfocus.com/bid/24205nvdPatch
secunia.com/advisories/25427nvdVendor Advisory
blogs.reucon.com/srt/2007/05/11/openfire_3_3_1_fixes_critical_security_issue.htmlnvd
www.osvdb.org/36713nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000