It looks like all Openfire versions are affected by a reported vulnerability described below:
**Openfire No-Password-Changes Security Bypass **
A vulnerability has been reported in Openfire, which can be exploited by malicious users to bypass certain security restrictions.
The vulnerability is caused due to Openfire not properly respecting the “no password changes” setting, which can be exploited to change passwords by sending jabber:iq:auth “passwd_change” requests to the server.
High. Exploiting this issue can allow the attacker to gain unauthorized access to the affected application and to completely compromise victims’ accounts.
Moderate. The following example data is sufficient to trigger this issue:
<iq type=‘set’ id=‘passwd_change’>
The vendor has released an update:
Here’s the proof of concept code:
Do you know if there’s any patch available to fix this? If not, we might have to shutdown our corporate server until it’s fixed.