2009-05-11 16:30:00 2017-08-17 03:30:25

The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE_INSTANCE

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE
Igniterealtime Openfire 3.1.0 (not an official CPE) Igniterealtime Openfire 3.0.1 (not an official CPE) Igniterealtime Openfire 3.2.0 (not an official CPE) Igniterealtime Openfire 3.1.1 (not an official CPE) Igniterealtime Openfire 3.5.0 (not an official CPE) Igniterealtime Openfire 3.4.1 (not an official CPE) Igniterealtime Openfire 3.3.2 (not an official CPE) Igniterealtime Openfire 3.2.3 (not an official CPE) Igniterealtime Openfire 3.4.2 (not an official CPE) Igniterealtime Openfire 3.6.0 (not an official CPE) Igniterealtime Openfire 3.5.1 (not an official CPE) Igniterealtime Openfire 3.3.3 (not an official CPE) Igniterealtime Openfire 3.2.4 (not an official CPE) Igniterealtime Openfire 3.3.0 (not an official CPE) Igniterealtime Openfire 3.2.1 (not an official CPE) Igniterealtime Openfire 3.4.0 (not an official CPE) Igniterealtime Openfire 3.2.2 (not an official CPE) Igniterealtime Openfire 3.6.1 (not an official CPE) Igniterealtime Openfire 3.5.2 (not an official CPE) Igniterealtime Openfire 3.4.3 (not an official CPE) Igniterealtime Openfire 3.6.2 (not an official CPE) Igniterealtime Openfire 3.4.4 (not an official CPE) Igniterealtime Openfire 3.0.0 (not an official CPE) Igniterealtime Openfire 2.6.0 (not an official CPE) Igniterealtime Openfire 2.6.1 (not an official CPE) Igniterealtime Openfire 3.6.3 (not an official CPE) Igniterealtime Openfire 3.4.5 (not an official CPE) Igniterealtime Openfire 2.6.2 (not an official CPE) Igniterealtime Openfire 3.6.0a (not an official CPE)