Maven package
org.igniterealtime.openfire/parent
pkg:maven/org.igniterealtime.openfire/parent
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-20526 | — | < 4.4.2 | 4.4.2 | Mar 19, 2020 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter. | ||
| CVE-2019-20525 | — | < 4.4.2 | 4.4.2 | Mar 19, 2020 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter. | ||
| CVE-2019-20527 | — | < 4.4.2 | 4.4.2 | Mar 19, 2020 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter. | ||
| CVE-2019-20366 | — | < 4.5.0 | 4.5.0 | Jan 8, 2020 | An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents. | ||
| CVE-2019-18394 | — | < 4.5.0-beta | 4.5.0-beta | Oct 24, 2019 | A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. | ||
| CVE-2019-18393 | — | < 4.5.0-beta | 4.5.0-beta | Oct 24, 2019 | PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. | ||
| CVE-2018-11688 | — | < 3.9.2 | 3.9.2 | Jun 13, 2018 | Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the h | ||
| CVE-2017-15911 | Med | 4.8 | < 4.1.7 | 4.1.7 | Oct 26, 2017 | The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassin | |
| CVE-2014-2741 | — | < 3.9.2 | 3.9.2 | Apr 11, 2014 | nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack. | ||
| CVE-2009-1595 | — | < 3.6.4 | 3.6.4 | May 11, 2009 | The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action. | ||
| CVE-2008-1728 | — | < 3.5.0 | 3.5.0 | Apr 11, 2008 | ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service (daemon outage) by triggering large outgoing queues without reading messages. |
- CVE-2019-20526Mar 19, 2020affected < 4.4.2fixed 4.4.2
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter.
- CVE-2019-20525Mar 19, 2020affected < 4.4.2fixed 4.4.2
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter.
- CVE-2019-20527Mar 19, 2020affected < 4.4.2fixed 4.4.2
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.
- CVE-2019-20366Jan 8, 2020affected < 4.5.0fixed 4.5.0
An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents.
- CVE-2019-18394Oct 24, 2019affected < 4.5.0-betafixed 4.5.0-beta
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
- CVE-2019-18393Oct 24, 2019affected < 4.5.0-betafixed 4.5.0-beta
PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability.
- CVE-2018-11688Jun 13, 2018affected < 3.9.2fixed 3.9.2
Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the h
- affected < 4.1.7fixed 4.1.7
The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassin
- CVE-2014-2741Apr 11, 2014affected < 3.9.2fixed 3.9.2
nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
- CVE-2009-1595May 11, 2009affected < 3.6.4fixed 3.6.4
The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.
- CVE-2008-1728Apr 11, 2008affected < 3.5.0fixed 3.5.0
ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service (daemon outage) by triggering large outgoing queues without reading messages.