Skip to main content

Openfire

21 CVEs product

Monthly

CVE-2024-25421 Maven CRITICAL POC PATCH Act Now

An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Openfire
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2024-25420 Maven HIGH POC PATCH This Week

An issue in Ignite Realtime Openfire before 4.8.1 allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Openfire
NVD GitHub
CVSS 3.1
7.2
EPSS
1.4%
CVE-2023-32315 Maven HIGH POC KEV PATCH THREAT Act Now

Openfire is an XMPP server licensed under the Open Source Apache License. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Openfire
NVD GitHub
CVSS 3.1
7.5
EPSS
100.0%
CVE-2020-35202 MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-35201 MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.7%
CVE-2020-35200 MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-35199 MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-35127 MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2020-24604 MEDIUM POC This Month

A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
CVSS 3.1
6.1
EPSS
1.2%
CVE-2020-24602 MEDIUM POC This Month

Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName",. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
CVSS 3.1
6.1
EPSS
1.0%
CVE-2020-24601 MEDIUM POC This Month

In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2019-18394 Maven CRITICAL POC PATCH THREAT Act Now

A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Java SSRF Openfire
NVD GitHub
CVSS 3.1
9.8
EPSS
32.3%
CVE-2019-18393 Maven MEDIUM POC PATCH THREAT This Month

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Java Path Traversal Openfire
NVD GitHub
CVSS 3.1
5.3
EPSS
13.9%
CVE-2019-15488 Maven MEDIUM PATCH This Month

Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Openfire
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-11688 Maven MEDIUM POC PATCH This Month

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD GitHub
CVSS 3.0
6.1
EPSS
2.4%
CVE-2017-15911 Maven MEDIUM PATCH This Month

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE CSRF Openfire
NVD
CVSS 3.0
4.8
EPSS
0.5%
CVE-2014-3451 HIGH This Week

OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openfire
NVD
CVSS 3.0
7.5
EPSS
1.3%
CVE-2015-7707 MEDIUM POC This Month

Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Openfire
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
3.9%
CVE-2015-6973 MEDIUM POC THREAT This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 16.1%.

CSRF Openfire
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
16.1%
CVE-2015-6972 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Openfire
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
4.6%
CVE-2014-2741 Maven HIGH PATCH This Week

nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Privilege Escalation Java Openfire
NVD VulDB
CVSS 2.0
7.8
EPSS
3.2%
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Openfire
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

An issue in Ignite Realtime Openfire before 4.8.1 allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Openfire
NVD GitHub
EPSS 100% CVSS 7.5
HIGH POC KEV PATCH THREAT Act Now

Openfire is an XMPP server licensed under the Open Source Apache License. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Apache Path Traversal Openfire
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD Exploit-DB
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD Exploit-DB
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD Exploit-DB
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName",. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD
EPSS 32% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Java SSRF Openfire
NVD GitHub
EPSS 14% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Java Path Traversal Openfire
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Openfire
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openfire
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE CSRF +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openfire
NVD
EPSS 4% CVSS 6.5
MEDIUM POC This Month

Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Openfire
NVD Exploit-DB
EPSS 16% CVSS 6.8
MEDIUM POC THREAT This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 16.1%.

CSRF Openfire
NVD Exploit-DB
EPSS 5% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Openfire
NVD Exploit-DB
EPSS 3% CVSS 7.8
HIGH PATCH This Week

nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Privilege Escalation Java +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy