Ignite Realtime Security Information

The Igniterealtime.org Community has established a security email address where questions and security vulnerability disclosures may be sent.

You can send such reports to the address security (domain part is the same as our website’s).

The following are a list of previous security disclosures for Ignite Realtime Projects.

DateProject - Vulernability
CVEJira Ticket
Release Fixed
26 March 2024Openfire - Deleted user not removed from room cacheCVE-2024-25421OF 21664.8.1
26 March 2024Openfire - admin.authorizedJIDs not updated after account removalCVE-2024-25420OF 27584.8.1
23 May 2023Openfire - Admin Console Auth BypassCVE-2023-32315OF 25954.6.8, 4.7.5
26 Oct 2017Openfire - XSS with domain in setup-host-settings.jspCVE-2017-15911OF 14174.2.0
10 Nov 2016Smack - Starts SASL step without TLS in case STARTTLS is stripped even if SecurityMode.Required is usedn/aSMACK-7394.1.9
21 Sep 2016Openfire - Reflective Cross-Site Scripting vulnerability on setup test pagen/aOF-1192
22 Jul 2016Openfire - Stored Cross-Site Scripting (Search plugin)n/aOF-11654.0.3 (1.7.1)
4 Jan 2016Openfire - Hard coded account in Cisco Finesse Desktop (custom modification)

CVE-2016-1307

n/an/a
6 Nov 2015

Openfire - Privilege Escalation in user-edit-form.jsp

CVE-2015-7707OF-9414.1.0
16 Sep 2015Openfire - Admin Console XSS

CVE-2015-6973

OF-9424.1.0
16 Sep 2015Openfire - Admin Console XSS

CVE-2015-6972

OF-9424.1.0
31 Oct 2014Openfire - XSS vulnerability in Monitoring Service pages in Admin Console (Monitoring Service plugin)n/aOF-8454.1.0
6 Aug 2014Openfire - Multiple Reflected XSS Vulnerabilities in Admin Consolen/aOF-8364.1.0
30 Apr 2014Openfire - Admin Console Cross Site Request Forgery (CSRF) Vulnerabilityn/aOF-7774.1.0
8 Apr 2014Openfire - Uncontrolled Resource Consumption with XMPP-Layer Compression

CVE-2014-2741

OF-7703.9.2
11 May 2009Openfire - Password ChangeCVE-2009-1596OF-2213.6.5
11 May 2009Openfire - Changing other User PasswordsCVE-2009-1595OF-11103.6.4
23 Mar 2009Openfire - Open redirect vulnerability in login.jspCVE-2008-6511...3.6.1
23 Mar 2009Openfire - Cross-site scripting (XSS) vulnerability in login.jspCVE-2008-6510...3.6.1
23 Mar 2009Openfire - SQL InjectionCVE-2008-6509...3.6.1
23 Mar 2009Openfire - Directory traversal vulnerability in the AuthCheck filterCVE-2008-6508...3.6.1
10 Feb 2009Openfire - Directory traversal vulnerability in log.jspCVE-2009-0497...3.6.3
10 Feb 2009Openfire - Multiple cross-site scripting (XSS) vulnerabilitiesCVE-2009-0496...3.6.3
11 Apr 2008Openfire - Denial of service (daemon outage) in ConnectionManagerImpl.javaCVE-2008-1728...3.5.0
1 Jun 2007Openfire - Unauthorized access through DWRCVE-2007-2975...3.3.2
31 Dec 2006Openfire - Admin Console - XSS in login.jspCVE-2006-7233OF-903.7.0
31 Dec 2005Openfire - Admin Console - XSS in login.jspCVE-2005-4876OF-903.7.0
31 Dec 2005Openfire - Admin Console - XSS in login.jspCVE-2005-4877OF-903.7.0
1 Like

Do we really have to list here issues based on someone’s else modifications? We can’t do anything about it and filling the list with such ones just creates a bad image for us. At least it could be a separate table at the bottom (“related stuf” or something…).