Vulnerabilities > Prosody

DATE CVE VULNERABILITY TITLE RISK
2021-07-30 CVE-2021-37601 Exposure of Resource to Wrong Sphere vulnerability in Prosody
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
network
low complexity
prosody CWE-668
5.0
2021-05-13 CVE-2021-32917 Missing Authorization vulnerability in multiple products
An issue was discovered in Prosody before 0.11.9.
4.3
2021-05-13 CVE-2021-32918 Resource Exhaustion vulnerability in multiple products
An issue was discovered in Prosody before 0.11.9.
network
low complexity
prosody debian fedoraproject CWE-400
5.0
2021-05-13 CVE-2021-32919 Improper Certificate Validation vulnerability in multiple products
An issue was discovered in Prosody before 0.11.9.
4.3
2021-05-13 CVE-2021-32920 Resource Exhaustion vulnerability in multiple products
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
network
low complexity
prosody debian fedoraproject CWE-400
7.8
2021-05-13 CVE-2021-32921 Race Condition vulnerability in multiple products
An issue was discovered in Prosody before 0.11.9.
4.3
2020-01-28 CVE-2020-8086 Incorrect Authorization vulnerability in multiple products
The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function.
6.8
2018-07-30 CVE-2018-10847 Improper Authentication vulnerability in Prosody
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass.
network
low complexity
prosody CWE-287
6.5
2018-05-09 CVE-2017-18265 Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch.
network
low complexity
prosody debian
5.0
2016-01-29 CVE-2016-0756 Improper Input Validation vulnerability in Prosody
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
network
low complexity
prosody CWE-20
5.0