2009-05-11 16:30:00 2017-08-17 03:30:25

Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE_INSTANCE

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE
Igniterealtime Openfire 3.1.0 (not an official CPE) Igniterealtime Openfire 3.0.1 (not an official CPE) Igniterealtime Openfire 3.2.0 (not an official CPE) Igniterealtime Openfire 3.1.1 (not an official CPE) Igniterealtime Openfire 3.5.0 (not an official CPE) Igniterealtime Openfire 3.4.1 (not an official CPE) Igniterealtime Openfire 3.3.2 (not an official CPE) Igniterealtime Openfire 3.2.3 (not an official CPE) Igniterealtime Openfire 3.4.2 (not an official CPE) Igniterealtime Openfire 3.6.0 (not an official CPE) Igniterealtime Openfire 3.5.1 (not an official CPE) Igniterealtime Openfire 3.3.3 (not an official CPE) Igniterealtime Openfire 3.2.4 (not an official CPE) Igniterealtime Openfire 3.3.0 (not an official CPE) Igniterealtime Openfire 3.2.1 (not an official CPE) Igniterealtime Openfire 3.4.0 (not an official CPE) Igniterealtime Openfire 3.2.2 (not an official CPE) Igniterealtime Openfire 3.6.1 (not an official CPE) Igniterealtime Openfire 3.5.2 (not an official CPE) Igniterealtime Openfire 3.4.3 (not an official CPE) Igniterealtime Openfire 3.6.2 (not an official CPE) Igniterealtime Openfire 3.4.4 (not an official CPE) Igniterealtime Openfire 3.0.0 (not an official CPE) Igniterealtime Openfire 2.6.0 (not an official CPE) Igniterealtime Openfire 2.6.1 (not an official CPE) Igniterealtime Openfire 3.6.3 (not an official CPE) Igniterealtime Openfire 3.4.5 (not an official CPE) Igniterealtime Openfire 2.6.2 (not an official CPE) Igniterealtime Openfire 3.6.4 (not an official CPE) Igniterealtime Openfire 3.6.0a (not an official CPE)