The Igniterealtime.org Community has established a security email address where questions and security vulnerability disclosures may be sent.
You can send such reports to the address security (domain part is the same as our website’s).
The following are a list of previous security disclosures for Ignite Realtime Projects.
| Date | Project - Vulernability | CVE | Jira Ticket | Release Fixed |
|---|---|---|---|---|
| 26 March 2024 | Openfire - Deleted user not removed from room cache | CVE-2024-25421 | OF 2166 | 4.8.1 |
| 26 March 2024 | Openfire - admin.authorizedJIDs not updated after account removal | CVE-2024-25420 | OF 2758 | 4.8.1 |
| 23 May 2023 | Openfire - Admin Console Auth Bypass | CVE-2023-32315 | OF 2595 | 4.6.8, 4.7.5 |
| 26 Oct 2017 | Openfire - XSS with domain in setup-host-settings.jsp | CVE-2017-15911 | OF 1417 | 4.2.0 |
| 10 Nov 2016 | Smack - Starts SASL step without TLS in case STARTTLS is stripped even if SecurityMode.Required is used | n/a | SMACK-739 | 4.1.9 |
| 21 Sep 2016 | Openfire - Reflective Cross-Site Scripting vulnerability on setup test page | n/a | OF-1192 | |
| 22 Jul 2016 | Openfire - Stored Cross-Site Scripting (Search plugin) | n/a | OF-1165 | 4.0.3 (1.7.1) |
| 4 Jan 2016 | Openfire - Hard coded account in Cisco Finesse Desktop (custom modification) | n/a | n/a | |
| 6 Nov 2015 | Openfire - Privilege Escalation in user-edit-form.jsp | CVE-2015-7707 | OF-941 | 4.1.0 |
| 16 Sep 2015 | Openfire - Admin Console XSS | OF-942 | 4.1.0 | |
| 16 Sep 2015 | Openfire - Admin Console XSS | OF-942 | 4.1.0 | |
| 31 Oct 2014 | Openfire - XSS vulnerability in Monitoring Service pages in Admin Console (Monitoring Service plugin) | n/a | OF-845 | 4.1.0 |
| 6 Aug 2014 | Openfire - Multiple Reflected XSS Vulnerabilities in Admin Console | n/a | OF-836 | 4.1.0 |
| 30 Apr 2014 | Openfire - Admin Console Cross Site Request Forgery (CSRF) Vulnerability | n/a | OF-777 | 4.1.0 |
| 8 Apr 2014 | Openfire - Uncontrolled Resource Consumption with XMPP-Layer Compression | OF-770 | 3.9.2 | |
| 11 May 2009 | Openfire - Password Change | CVE-2009-1596 | OF-221 | 3.6.5 |
| 11 May 2009 | Openfire - Changing other User Passwords | CVE-2009-1595 | OF-1110 | 3.6.4 |
| 23 Mar 2009 | Openfire - Open redirect vulnerability in login.jsp | CVE-2008-6511 | ... | 3.6.1 |
| 23 Mar 2009 | Openfire - Cross-site scripting (XSS) vulnerability in login.jsp | CVE-2008-6510 | ... | 3.6.1 |
| 23 Mar 2009 | Openfire - SQL Injection | CVE-2008-6509 | ... | 3.6.1 |
| 23 Mar 2009 | Openfire - Directory traversal vulnerability in the AuthCheck filter | CVE-2008-6508 | ... | 3.6.1 |
| 10 Feb 2009 | Openfire - Directory traversal vulnerability in log.jsp | CVE-2009-0497 | ... | 3.6.3 |
| 10 Feb 2009 | Openfire - Multiple cross-site scripting (XSS) vulnerabilities | CVE-2009-0496 | ... | 3.6.3 |
| 11 Apr 2008 | Openfire - Denial of service (daemon outage) in ConnectionManagerImpl.java | CVE-2008-1728 | ... | 3.5.0 |
| 1 Jun 2007 | Openfire - Unauthorized access through DWR | CVE-2007-2975 | ... | 3.3.2 |
| 31 Dec 2006 | Openfire - Admin Console - XSS in login.jsp | CVE-2006-7233 | OF-90 | 3.7.0 |
| 31 Dec 2005 | Openfire - Admin Console - XSS in login.jsp | CVE-2005-4876 | OF-90 | 3.7.0 |
| 31 Dec 2005 | Openfire - Admin Console - XSS in login.jsp | CVE-2005-4877 | OF-90 | 3.7.0 |