VYPR

rpm package

opensuse/prosody&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/prosody&distro=openSUSE%20Tumbleweed

Vulnerabilities (9)

  • CVE-2022-0217Aug 26, 2022
    affected < 0.11.12-1.1fixed 0.11.12-1.1

    It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depen

  • CVE-2021-37601Jul 28, 2021
    affected < 0.11.10-1.2fixed 0.11.10-1.2

    muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.

  • CVE-2021-32920May 13, 2021
    affected < 0.11.10-1.2fixed 0.11.10-1.2

    Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.

  • CVE-2021-32919May 13, 2021
    affected < 0.11.10-1.2fixed 0.11.10-1.2

    An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impe

  • CVE-2021-32918May 13, 2021
    affected < 0.11.10-1.2fixed 0.11.10-1.2

    An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.

  • CVE-2021-32917May 13, 2021
    affected < 0.11.10-1.2fixed 0.11.10-1.2

    An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

  • CVE-2016-0756MedJan 29, 2016
    affected < 0.9.11-1.1fixed 0.9.11-1.1

    The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target d

  • CVE-2016-1232HigJan 12, 2016
    affected < 0.9.11-1.1fixed 0.9.11-1.1

    The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.

  • CVE-2016-1231MedJan 12, 2016
    affected < 0.9.11-1.1fixed 0.9.11-1.1

    Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.