Maven package
org.igniterealtime.openfire/xmppserver
pkg:maven/org.igniterealtime.openfire/xmppserver
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59154 | Med | 5.9 | < 5.0.2 | 5.0.2 | Sep 15, 2025 | Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code c | |
| CVE-2024-25421 | — | < 4.8.1 | 4.8.1 | Mar 26, 2024 | An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component. | ||
| CVE-2024-25420 | — | < 4.8.1 | 4.8.1 | Mar 26, 2024 | An issue in Ignite Realtime Openfire before 4.8.1 allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component. | ||
| CVE-2023-32315 | — | KEV | >= 3.10.0, < 4.6.8 | 4.6.8 | May 26, 2023 | Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated | |
| CVE-2019-20528 | — | < 4.4.2 | 4.4.2 | Mar 18, 2020 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter. | ||
| CVE-2019-15488 | — | < 4.4.1 | 4.4.1 | Aug 23, 2019 | Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. |
- affected < 5.0.2fixed 5.0.2
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code c
- CVE-2024-25421Mar 26, 2024affected < 4.8.1fixed 4.8.1
An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component.
- CVE-2024-25420Mar 26, 2024affected < 4.8.1fixed 4.8.1
An issue in Ignite Realtime Openfire before 4.8.1 allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component.
- affected >= 3.10.0, < 4.6.8fixed 4.6.8
Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated
- CVE-2019-20528Mar 18, 2020affected < 4.4.2fixed 4.4.2
Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter.
- CVE-2019-15488Aug 23, 2019affected < 4.4.1fixed 4.4.1
Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test.