igniterealtime 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、パス処理の欠陥、vendor risk sql injection, and vendor risk csrf があり、vendor surface software deployment の利用場面で vendor impact session compromise、ファイル上書き, and vendor impact unexpected behavior などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2024-25421 | An issue in Ignite Realtime Openfire v.4.9.0 and before allows a remote attacker to escalate privileges via the ROOM_CACHE component. | [email protected] | 9.8 | 2.56% | 2024-03-26 | 2025-05-07 |
| CVE-2024-25420 | An issue in Ignite Realtime Openfire before 4.8.1 allows a remote attacker to escalate privileges via the admin.authorizedJIDs system property component. | [email protected] | 7.2 | 1.62% | 2024-03-26 | 2025-11-11 |
| CVE-2023-32315 KEV | Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire th | [email protected] | 8.6 | 94.40% | 2023-05-26 | 2025-10-24 |
| CVE-2021-45967 | An issue was discovered in Pascom Cloud Phone System before 7.20.x. A configuration error between NGINX and a backend Tomcat server leads to a path traversal in the Tomcat server, exposing unintended endpoints. | [email protected] | 9.8 | 92.62% | 2022-03-18 | 2024-11-21 |
| CVE-2020-35202 | Ignite Realtime Openfire 4.6.0 has plugins/dbaccess/db-access.jsp sql Stored XSS. | [email protected] | 5.4 | 0.28% | 2020-12-12 | 2024-11-21 |
| CVE-2020-35201 | Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp users Stored XSS. | [email protected] | 5.4 | 0.28% | 2020-12-12 | 2024-11-21 |
| CVE-2020-35200 | Ignite Realtime Openfire 4.6.0 has plugins/clientcontrol/spark-form.jsp Reflective XSS. | [email protected] | 6.1 | 0.84% | 2020-12-12 | 2024-11-21 |
| CVE-2020-35199 | Ignite Realtime Openfire 4.6.0 has create-bookmark.jsp groupchatJID Stored XSS. | [email protected] | 5.4 | 0.28% | 2020-12-12 | 2024-11-21 |
| CVE-2020-35127 | Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-bookmark.jsp Stored XSS. | [email protected] | 5.4 | 0.32% | 2020-12-11 | 2024-11-21 |
| CVE-2020-24604 | A Reflected XSS vulnerability was discovered in Ignite Realtime Openfire version 4.5.1. The XSS vulnerability allows remote attackers to inject arbitrary web script or HTML via the GET request "searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in server-properties.jsp and security-audit-viewer.jsp | [email protected] | 6.1 | 0.98% | 2020-09-02 | 2024-11-21 |
| CVE-2020-24602 | Ignite Realtime Openfire 4.5.1 has a reflected Cross-site scripting vulnerability which allows an attacker to execute arbitrary malicious URL via the vulnerable GET parameter searchName", "searchValue", "searchDescription", "searchDefaultValue","searchPlugin", "searchDescription" and "searchDynamic" in the Server Properties and Security Audit Viewer JSP page | [email protected] | 6.1 | 1.14% | 2020-09-02 | 2024-11-21 |
| CVE-2020-24601 | In Ignite Realtime Openfire 4.5.1 a Stored Cross-site Vulnerability allows an attacker to execute an arbitrary malicious URL via the vulnerable POST parameter searchName", "alias" in the import certificate trusted page | [email protected] | 6.1 | 0.61% | 2020-09-02 | 2024-11-21 |
| CVE-2020-12772 | An issue was discovered in Ignite Realtime Spark 2.8.3 (and the ROAR plugin for it) on Windows. A chat message can include an IMG element with a SRC attribute referencing an external host's IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request. This allows an attacker to collect these hashes, crack them, and potentially compromise the computer. (ROAR can be configured for automatic access. Also, access can occur if the user clicks.) | [email protected] | 8.8 | 0.84% | 2020-05-12 | 2024-11-21 |
| CVE-2019-20526 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp password parameter. | [email protected] | 6.1 | 0.47% | 2020-03-19 | 2024-11-21 |
| CVE-2019-20525 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp driver parameter. | [email protected] | 6.1 | 0.47% | 2020-03-19 | 2024-11-21 |
| CVE-2019-20527 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp serverURL parameter. | [email protected] | 6.1 | 0.47% | 2020-03-19 | 2024-11-21 |
| CVE-2019-20528 | Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasource-standard.jsp username parameter. | [email protected] | 6.1 | 0.47% | 2020-03-18 | 2024-11-21 |
| CVE-2019-20366 | An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via isTrustStore to Manage Store Contents. | [email protected] | 6.1 | 1.40% | 2020-01-08 | 2024-11-21 |
| CVE-2019-20365 | An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via search to the Users/Group search page. | [email protected] | 6.1 | 1.03% | 2020-01-08 | 2024-11-21 |
| CVE-2019-20364 | An XSS issue was discovered in Ignite Realtime Openfire 4.4.4 via cacheName to SystemCacheDetails.jsp. | [email protected] | 6.1 | 1.03% | 2020-01-08 | 2024-11-21 |