Openfire Security Bypass Vulnerabilities Network Vulnerability

Impact

Successful exploitation will let the attacker change the passwords of arbitrary accounts via a modified username element in a passwd_change action or can bypass intended policy and change their own passwords via a passwd_change IQ packet. Impact Level: Application/Network Impact Level: Application/Network

Solution

Upgrade to Openfire 3.6.4 or later http://www.igniterealtime.org/projects/openfire ***** Note: Vulnerability is related to CVE-2009-1595 and CVE-2009-1596 *****

Affected

Openfire prior to 3.6.4

References

http://secunia.com/advisories/34976
http://secunia.com/advisories/34984
http://www.igniterealtime.org/issues/browse/JM-1531
http://www.igniterealtime.org/issues/browse/JM-1532

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-1595

CVSS	Base Score: 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N

Related Vulnerabilities

Adobe JRun Management Console Multiple Vulnerabilities
12Planet Chat Server one2planet.infolet.InfoServlet XSS
Apache Struts2 'XWork' Information Disclosure Vulnerability
Apache Tomcat DOS Device Name XSS
Apache ActiveMQ 'Cron Jobs' Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities