Ejabberd
Monthly
ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.