Описание
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.
Ссылки
- Broken LinkVendor Advisory
- ExploitIssue TrackingPatchVendor Advisory
- PatchPermissions RequiredVendor Advisory
- Broken Link
- Broken LinkExploitPatchThird Party AdvisoryVDB Entry
- Third Party AdvisoryVDB Entry
- Broken LinkVendor Advisory
- ExploitIssue TrackingPatchVendor Advisory
- PatchPermissions RequiredVendor Advisory
- Broken Link
- Broken LinkExploitPatchThird Party AdvisoryVDB Entry
- Third Party AdvisoryVDB Entry
Уязвимые конфигурации
Конфигурация 1Версия до 3.6.5 (исключая)
cpe:2.3:a:igniterealtime:openfire:*:*:*:*:*:*:*:*
EPSS
Процентиль: 57%
0.00351
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-287
Связанные уязвимости
CVSS3: 6.5
github
почти 4 года назад
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.
EPSS
Процентиль: 57%
0.00351
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-287