Ignite Realtime Security Information

akrherz · June 3, 2009, 11:54am

The Igniterealtime.org Community has established a security email address where questions and security vulnerability disclosures may be sent.

You can send such reports to the address security (domain part is the same as our website’s).

The following are a list of previous security disclosures for Ignite Realtime Projects.

Date	Project - Vulernability	CVE	Jira Ticket	Release Fixed
23 May 2023	Openfire - Admin Console Auth Bypass	CVE-2023-32315	OF 2595	4.6.8, 4.7.5
26 Oct 2017	Openfire - XSS with domain in setup-host-settings.jsp	CVE-2017-15911	OF 1417	4.2.0
10 Nov 2016	Smack - Starts SASL step without TLS in case STARTTLS is stripped even if SecurityMode.Required is used	n/a	SMACK-739	4.1.9
21 Sep 2016	Openfire - Reflective Cross-Site Scripting vulnerability on setup test page	n/a	OF-1192
22 Jul 2016	Openfire - Stored Cross-Site Scripting (Search plugin)	n/a	OF-1165	4.0.3 (1.7.1)
4 Jan 2016	Openfire - Hard coded account in Cisco Finesse Desktop (custom modification)	CVE-2016-1307	n/a	n/a
6 Nov 2015	Openfire - Privilege Escalation in user-edit-form.jsp	CVE-2015-7707	OF-941	4.1.0
16 Sep 2015	Openfire - Admin Console XSS	CVE-2015-6973	OF-942	4.1.0
16 Sep 2015	Openfire - Admin Console XSS	CVE-2015-6972	OF-942	4.1.0
31 Oct 2014	Openfire - XSS vulnerability in Monitoring Service pages in Admin Console (Monitoring Service plugin)	n/a	OF-845	4.1.0
6 Aug 2014	Openfire - Multiple Reflected XSS Vulnerabilities in Admin Console	n/a	OF-836	4.1.0
30 Apr 2014	Openfire - Admin Console Cross Site Request Forgery (CSRF) Vulnerability	n/a	OF-777	4.1.0
8 Apr 2014	Openfire - Uncontrolled Resource Consumption with XMPP-Layer Compression	CVE-2014-2741	OF-770	3.9.2
11 May 2009	Openfire - Password Change	CVE-2009-1596	OF-221	3.6.5
11 May 2009	Openfire - Changing other User Passwords	CVE-2009-1595	OF-1110	3.6.4
23 Mar 2009	Openfire - Open redirect vulnerability in login.jsp	CVE-2008-6511	...	3.6.1
23 Mar 2009	Openfire - Cross-site scripting (XSS) vulnerability in login.jsp	CVE-2008-6510	...	3.6.1
23 Mar 2009	Openfire - SQL Injection	CVE-2008-6509	...	3.6.1
23 Mar 2009	Openfire - Directory traversal vulnerability in the AuthCheck filter	CVE-2008-6508	...	3.6.1
10 Feb 2009	Openfire - Directory traversal vulnerability in log.jsp	CVE-2009-0497	...	3.6.3
10 Feb 2009	Openfire - Multiple cross-site scripting (XSS) vulnerabilities	CVE-2009-0496	...	3.6.3
11 Apr 2008	Openfire - Denial of service (daemon outage) in ConnectionManagerImpl.java	CVE-2008-1728	...	3.5.0
1 Jun 2007	Openfire - Unauthorized access through DWR	CVE-2007-2975	...	3.3.2
31 Dec 2006	Openfire - Admin Console - XSS in login.jsp	CVE-2006-7233	OF-90	3.7.0
31 Dec 2005	Openfire - Admin Console - XSS in login.jsp	CVE-2005-4876	OF-90	3.7.0
31 Dec 2005	Openfire - Admin Console - XSS in login.jsp	CVE-2005-4877	OF-90	3.7.0

wroot · July 23, 2016, 9:38am

Do we really have to list here issues based on someone’s else modifications? We can’t do anything about it and filling the list with such ones just creates a bad image for us. At least it could be a separate table at the bottom (“related stuf” or something…).