Prosody
Sign in to watchby Prosody
CVEs (12)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-1232 | Hig | 0.49 | 7.5 | 0.01 | Jan 12, 2016 | The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack. | |
| CVE-2026-43505 | Med | 0.42 | 6.5 | 0.00 | May 1, 2026 | An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in the activation scenario, relaying of unauthenticated traffic can occur. | |
| CVE-2026-43504 | Med | 0.42 | 6.5 | 0.00 | May 1, 2026 | An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in a paused scenario, relaying of unauthenticated traffic can occur. | |
| CVE-2016-1231 | Med | 0.38 | 5.9 | 0.01 | Jan 12, 2016 | Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path. | |
| CVE-2016-0756 | Med | 0.35 | 5.3 | 0.01 | Jan 29, 2016 | The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix. | |
| CVE-2026-43507 | Med | 0.34 | 5.3 | 0.00 | May 1, 2026 | An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by XML parsing resource amplification from unauthenticated connections. | |
| CVE-2026-43506 | Med | 0.34 | 5.3 | 0.00 | May 1, 2026 | An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by memory leaks from unauthenticated connections. | |
| CVE-2014-2745 | 0.00 | — | 0.02 | Apr 11, 2014 | Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua. | ||
| CVE-2014-2744 | 0.00 | — | 0.02 | Apr 11, 2014 | plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack. | ||
| CVE-2011-2532 | 0.00 | — | 0.01 | Jun 22, 2011 | The json.decode function in util/json.lua in Prosody 0.8.x before 0.8.1 might allow remote attackers to cause a denial of service (infinite loop) via invalid JSON data, as demonstrated by truncated data. | ||
| CVE-2011-2531 | 0.00 | — | 0.01 | Jun 22, 2011 | Prosody 0.8.x before 0.8.1, when MySQL is used, assigns an incorrect data type to the value column in certain tables, which might allow remote attackers to cause a denial of service (data truncation) by sending a large amount of data. | ||
| CVE-2011-2205 | 0.00 | — | 0.02 | Jun 22, 2011 | Prosody before 0.8.1 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. |