Igniterealtime Openfire — known CVE vulnerabilities
Every CVE whose affected-product data names Igniterealtime Openfire, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (37)
CVE-2019-18394 — CVSS 9.8 (critical): A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to…
CVE-2024-25421 — CVSS 9.8 (critical): An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component.
CVE-2021-45967 — CVSS 9.8 (critical): An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads…
CVE-2014-2741 — CVSS 7.8 (high): nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML…
CVE-2008-6508 — CVSS 7.5 (high): Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to…
CVE-2008-6509 — CVSS 7.5 (high): SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL…
CVE-2014-3451 — CVSS 7.5 (high): OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks.
CVE-2024-25420 — CVSS 7.2 (high): An issue in Ignite Realtime Openfire before 4.8.1 allows a remote attacker to escalate privileges via the admin.authorizedJIDs system…
CVE-2009-1596 — CVSS 6.5 (medium): Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration…
CVE-2015-7707 — CVSS 6.5 (medium): Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to…
CVE-2019-20526 — CVSS 6.1 (medium): Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter.
CVE-2018-11688 — CVSS 6.1 (medium): Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote…
CVE-2019-20364 — CVSS 6.1 (medium): An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp.
CVE-2019-20365 — CVSS 6.1 (medium): An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page.
CVE-2019-20366 — CVSS 6.1 (medium): An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents.
CVE-2019-20525 — CVSS 6.1 (medium): Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter.
CVE-2019-20527 — CVSS 6.1 (medium): Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter.
CVE-2019-20528 — CVSS 6.1 (medium): Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter.
CVE-2020-24601 — CVSS 6.1 (medium): In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the…
CVE-2020-24602 — CVSS 6.1 (medium): Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious…
CVE-2020-24604 — CVSS 6.1 (medium): A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to…
CVE-2008-6511 — CVSS 5.8 (medium): Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites…
CVE-2019-18393 — CVSS 5.3 (medium): PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home…
CVE-2009-0497 — CVSS 5.0 (medium): Directory traversal vulnerability in log.jsp in Ignite Realtime Openfire 3.6.2 allows remote attackers to read arbitrary files via a ..\…
CVE-2017-15911 — CVSS 4.8 (medium): The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who…
CVE-2008-6510 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject…
CVE-2009-1595 — CVSS 4.0 (medium): The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to…