org.igniterealtime.openfire:xmppserver@4.2.0 vulnerabilities
-
latest version
4.2.0
-
first published
6 years ago
-
latest version published
6 years ago
-
licenses detected
- [4.2.0,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.igniterealtime.openfire:xmppserver package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Improper Privilege Management through the How to fix Improper Privilege Management? A fix was pushed into the |
[0,)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to persistent use of How to fix Use of Cache Containing Sensitive Information? A fix was pushed into the |
[0,)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Directory Traversal via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. Path traversal protections were already in place to protect against exactly this kind of attack, but didn’t defend against certain non-standard URL encoding for UTF-16 characters, that were not supported by the embedded webserver that was in use at the time. Impact: The combination of the wildcard pattern matching and path traversal vulnerability allows a malicious user to bypass authentication requirements for Admin Console pages. Note: Users should be aware that the new configuration properties can interfere with the functionality of certain Openfire plugins. This is especially true for plugins that bind a (web)endpoint to the embedded webserver that serves the Openfire administrative console, like current versions of the REST API plugin do. For these plugins to remain functional and/or reachable, it might be required to toggle the property When the server uses older versions of the following plugins, users should make sure to upgrade them:
How to fix Directory Traversal? A fix was pushed into the |
[3.10.0,)
[4.7.0,)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,4.4.2)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,4.4.2)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,4.4.2)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Directory Traversal which allows admin users to read local files. NOTE: This vulnerability is only exploitable on Windows systems. How to fix Directory Traversal? A fix was pushed into the |
[0,)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade |
[,4.5.0)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which can be exploited via the How to fix Cross-site Scripting (XSS)? A fix was pushed into the |
[0,)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Due to no user input sanitization, it is possible to inject malicious JavaScript within the How to fix Cross-site Scripting (XSS)? A fix was pushed into the |
[0,)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF) in How to fix Server Side Request Forgery (SSRF)? Upgrade |
[,4.5.0)
|
org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an LDAP setup test. How to fix Cross-site Scripting (XSS)? Upgrade |
[,4.4.1)
|