Ignite Realtime Security Information

Version 29

    The Igniterealtime.org Community has established a security email address where questions and security vulnerability disclosures may be sent.


    You can send such reports to the address security (domain part is the same as our website's).


    The following are a list of previous security disclosures for Ignite Realtime Projects.


    DateProject - Vulernability
    CVEJira Ticket
    Release Fixed
    10 Nov 2016Smack - Starts SASL step without TLS in case STARTTLS is stripped even if SecurityMode.Required is usedn/aSMACK-7394.1.9
    21 Sep 2016Openfire - Reflective Cross-Site Scripting vulnerability on setup test pagen/aOF-1192
    22 Jul 2016Openfire - Stored Cross-Site Scripting (Search plugin)n/aOF-11654.0.3 (1.7.1)
    4 Jan 2016Openfire - Hard coded account in Cisco Finesse Desktop (custom modification)


    6 Nov 2015

    Openfire - Privilege Escalation in user-edit-form.jsp

    16 Sep 2015Openfire - Admin Console XSS


    16 Sep 2015Openfire - Admin Console XSS


    31 Oct 2014Openfire - XSS vulnerability in Monitoring Service pages in Admin Console (Monitoring Service plugin)n/aOF-8454.1.0
    6 Aug 2014Openfire - Multiple Reflected XSS Vulnerabilities in Admin Consolen/aOF-8364.1.0
    30 Apr 2014Openfire - Admin Console Cross Site Request Forgery (CSRF) Vulnerabilityn/aOF-7774.1.0
    8 Apr 2014Openfire - Uncontrolled Resource Consumption with XMPP-Layer Compression


    11 May 2009Openfire - Password ChangeCVE-2009-1596OF-2213.6.5
    11 May 2009Openfire - Changing other User PasswordsCVE-2009-1595OF-11103.6.4
    23 Mar 2009Openfire - Open redirect vulnerability in login.jspCVE-2008-6511...3.6.1
    23 Mar 2009Openfire - Cross-site scripting (XSS) vulnerability in login.jspCVE-2008-6510...3.6.1
    23 Mar 2009Openfire - SQL InjectionCVE-2008-6509...3.6.1
    23 Mar 2009Openfire - Directory traversal vulnerability in the AuthCheck filterCVE-2008-6508...3.6.1
    10 Feb 2009Openfire - Directory traversal vulnerability in log.jspCVE-2009-0497...3.6.3
    10 Feb 2009Openfire - Multiple cross-site scripting (XSS) vulnerabilitiesCVE-2009-0496...3.6.3
    11 Apr 2008Openfire - Denial of service (daemon outage) in ConnectionManagerImpl.javaCVE-2008-1728...3.5.0
    1 Jun 2007Openfire - Unauthorized access through DWRCVE-2007-2975...3.3.2
    31 Dec 2006Openfire - Admin Console - XSS in login.jspCVE-2006-7233OF-903.7.0
    31 Dec 2005Openfire - Admin Console - XSS in login.jspCVE-2005-4876OF-903.7.0
    31 Dec 2005Openfire - Admin Console - XSS in login.jspCVE-2005-4877OF-903.7.0