Ignite Realtime Security Information

The Igniterealtime.org Community has established a security email address where questions and security vulnerability disclosures may be sent.

You can send such reports to the address security (domain part is the same as our website’s).

The following are a list of previous security disclosures for Ignite Realtime Projects.

Date Project - Vulernability
CVE Jira Ticket
Release Fixed
23 May 2023 Openfire - Admin Console Auth Bypass CVE-2023-32315 OF 2595 4.6.8, 4.7.5
26 Oct 2017 Openfire - XSS with domain in setup-host-settings.jsp CVE-2017-15911 OF 1417 4.2.0
10 Nov 2016 Smack - Starts SASL step without TLS in case STARTTLS is stripped even if SecurityMode.Required is used n/a SMACK-739 4.1.9
21 Sep 2016 Openfire - Reflective Cross-Site Scripting vulnerability on setup test page n/a OF-1192
22 Jul 2016 Openfire - Stored Cross-Site Scripting (Search plugin) n/a OF-1165 4.0.3 (1.7.1)
4 Jan 2016 Openfire - Hard coded account in Cisco Finesse Desktop (custom modification)

CVE-2016-1307

n/a n/a
6 Nov 2015

Openfire - Privilege Escalation in user-edit-form.jsp

CVE-2015-7707 OF-941 4.1.0
16 Sep 2015 Openfire - Admin Console XSS

CVE-2015-6973

OF-942 4.1.0
16 Sep 2015 Openfire - Admin Console XSS

CVE-2015-6972

OF-942 4.1.0
31 Oct 2014 Openfire - XSS vulnerability in Monitoring Service pages in Admin Console (Monitoring Service plugin) n/a OF-845 4.1.0
6 Aug 2014 Openfire - Multiple Reflected XSS Vulnerabilities in Admin Console n/a OF-836 4.1.0
30 Apr 2014 Openfire - Admin Console Cross Site Request Forgery (CSRF) Vulnerability n/a OF-777 4.1.0
8 Apr 2014 Openfire - Uncontrolled Resource Consumption with XMPP-Layer Compression

CVE-2014-2741

OF-770 3.9.2
11 May 2009 Openfire - Password Change CVE-2009-1596 OF-221 3.6.5
11 May 2009 Openfire - Changing other User Passwords CVE-2009-1595 OF-1110 3.6.4
23 Mar 2009 Openfire - Open redirect vulnerability in login.jsp CVE-2008-6511 ... 3.6.1
23 Mar 2009 Openfire - Cross-site scripting (XSS) vulnerability in login.jsp CVE-2008-6510 ... 3.6.1
23 Mar 2009 Openfire - SQL Injection CVE-2008-6509 ... 3.6.1
23 Mar 2009 Openfire - Directory traversal vulnerability in the AuthCheck filter CVE-2008-6508 ... 3.6.1
10 Feb 2009 Openfire - Directory traversal vulnerability in log.jsp CVE-2009-0497 ... 3.6.3
10 Feb 2009 Openfire - Multiple cross-site scripting (XSS) vulnerabilities CVE-2009-0496 ... 3.6.3
11 Apr 2008 Openfire - Denial of service (daemon outage) in ConnectionManagerImpl.java CVE-2008-1728 ... 3.5.0
1 Jun 2007 Openfire - Unauthorized access through DWR CVE-2007-2975 ... 3.3.2
31 Dec 2006 Openfire - Admin Console - XSS in login.jsp CVE-2006-7233 OF-90 3.7.0
31 Dec 2005 Openfire - Admin Console - XSS in login.jsp CVE-2005-4876 OF-90 3.7.0
31 Dec 2005 Openfire - Admin Console - XSS in login.jsp CVE-2005-4877 OF-90 3.7.0
1 Like

Do we really have to list here issues based on someone’s else modifications? We can’t do anything about it and filling the list with such ones just creates a bad image for us. At least it could be a separate table at the bottom (“related stuf” or something…).