Vulnerabilities > Igniterealtime > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-08 | CVE-2019-20365 | Cross-site Scripting vulnerability in Igniterealtime Openfire 4.4.4 An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page. | 4.3 |
| 2020-01-08 | CVE-2019-20364 | Cross-site Scripting vulnerability in Igniterealtime Openfire 4.4.4 An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp. | 4.3 |
| 2020-01-08 | CVE-2019-20363 | Cross-site Scripting vulnerability in Igniterealtime Openfire 4.4.4 An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via alias to Manage Store Contents. | 4.3 |
| 2019-10-24 | CVE-2019-18393 | Path Traversal vulnerability in Igniterealtime Openfire PluginServlet.java in Ignite Realtime Openfire through 4.4.2 does not ensure that retrieved files are located under the Openfire home directory, aka a directory traversal vulnerability. | 5.0 |
| 2019-08-23 | CVE-2019-15488 | Cross-site Scripting vulnerability in Igniterealtime Openfire Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. | 4.3 |
| 2018-06-13 | CVE-2018-11688 | Cross-site Scripting vulnerability in Igniterealtime Openfire 3.7.1 Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. | 4.3 |
| 2018-05-15 | CVE-2017-2815 | XXE vulnerability in Igniterealtime User Import Export 2.6.0 An exploitable XML entity injection vulnerability exists in OpenFire User Import Export Plugin 2.6.0. | 5.5 |
| 2017-08-18 | CVE-2014-3451 | Improper Certificate Validation vulnerability in Igniterealtime Openfire OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks. | 5.0 |
| 2017-01-12 | CVE-2016-10027 | Race Condition vulnerability in multiple products Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response. | 5.9 |
| 2015-10-05 | CVE-2015-7707 | Permissions, Privileges, and Access Controls vulnerability in Igniterealtime Openfire 3.10.2 Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. | 6.5 |