Vulnerabilities > Prosody > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-26 | CVE-2022-0217 | XML Entity Expansion vulnerability in Prosody It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. | 7.5 |
| 2021-07-30 | CVE-2021-37601 | Unspecified vulnerability in Prosody muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations. | 7.5 |
| 2021-05-13 | CVE-2021-32918 | Resource Exhaustion vulnerability in multiple products An issue was discovered in Prosody before 0.11.9. | 7.5 |
| 2021-05-13 | CVE-2021-32919 | Improper Certificate Validation vulnerability in multiple products An issue was discovered in Prosody before 0.11.9. | 7.5 |
| 2021-05-13 | CVE-2021-32920 | Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. | 7.5 |
| 2014-04-11 | CVE-2014-2745 | Permissions, Privileges, and Access Controls vulnerability in Prosody Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua. | 7.8 |
| 2014-04-11 | CVE-2014-2744 | Improper Input Validation vulnerability in multiple products plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack. | 7.8 |