org.igniterealtime.openfire:xmppserver@4.2.0 vulnerabilities

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Improper Privilege Management through the admin.authorizedJIDs system property component. When an administrative user is created, his admin privileges are saved in a system property called admin.authorizedJIDs and the key used is the account’s username. If the administrative user is deleted, his username is not deleted from the admin.authorizedJIDs system property. This way, if a new user is created with the same username, the new user is automatically an administrator.

A fix was pushed into the master branch but not yet published.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to persistent use of ROOM_CACHE data for usernames after deletion of the associated account. An attacker in possession of a previously used and now deleted username can register that user name to gain access to the chat history of the user until the server is restarted.

A fix was pushed into the master branch but not yet published.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Directory Traversal via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. Path traversal protections were already in place to protect against exactly this kind of attack, but didn’t defend against certain non-standard URL encoding for UTF-16 characters, that were not supported by the embedded webserver that was in use at the time.

Impact:

The combination of the wildcard pattern matching and path traversal vulnerability allows a malicious user to bypass authentication requirements for Admin Console pages.

Note:

Users should be aware that the new configuration properties can interfere with the functionality of certain Openfire plugins. This is especially true for plugins that bind a (web)endpoint to the embedded webserver that serves the Openfire administrative console, like current versions of the REST API plugin do. For these plugins to remain functional and/or reachable, it might be required to toggle the property adminConsole.access.allow-wildcards-in-excludes to true, and to avoid binding the embedded webserver to the loopback network interface only.

When the server uses older versions of the following plugins, users should make sure to upgrade them:

• Random Avatar plugin, update to version 1.1.0 or later.
• Monitoring Service plugin, update to version 2.5.0 or later.
• HTTP File Upload plugin, update to version 1.3.0 or later.

A fix was pushed into the master branch but not yet published.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the driver parameter, in setup/setup-datasource-standard.jsp.

Upgrade org.igniterealtime.openfire:xmppserver to version 4.4.2 or higher.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the password parameter, in setup/setup-datasource-standard.jsp.

Upgrade org.igniterealtime.openfire:xmppserver to version 4.4.2 or higher.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the username parameter, in setup/setup-datasource-standard.jsp.

Upgrade org.igniterealtime.openfire:xmppserver to version 4.4.2 or higher.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Directory Traversal which allows admin users to read local files.

NOTE: This vulnerability is only exploitable on Windows systems.

A fix was pushed into the master branch but not yet published.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the alias parameter within Manage Store Contents.

Upgrade org.igniterealtime.openfire:xmppserver to version 4.5.0 or higher.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which can be exploited via the cacheName parameter within SystemCacheDetails.jsp.

A fix was pushed into the master branch but not yet published.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Due to no user input sanitization, it is possible to inject malicious JavaScript within the search parameter of the Users/Group search page.

A fix was pushed into the master branch but not yet published.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF) in FaviconServlet.java which allows attackers to send arbitrary HTTP GET requests.

Upgrade org.igniterealtime.openfire:xmppserver to version 4.5.0 or higher.

org.igniterealtime.openfire:xmppserver is an is a XMPP server licensed under the Open Source Apache License.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via an LDAP setup test.

Upgrade org.igniterealtime.openfire:xmppserver to version 4.4.1 or higher.