Vulnerability Details CVE-2009-1596
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 56.8%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
- http://secunia.com/advisories/34984
- http://www.igniterealtime.org/community/message/190280
- http://www.igniterealtime.org/issues/browse/JM-1532
- http://www.osvdb.org/54189
- http://www.securityfocus.com/bid/34804
- https://exchange.xforce.ibmcloud.com/vulnerabilities/50291
- http://secunia.com/advisories/34984
- http://www.igniterealtime.org/community/message/190280
- http://www.igniterealtime.org/issues/browse/JM-1532
- http://www.osvdb.org/54189
- http://www.securityfocus.com/bid/34804
- https://exchange.xforce.ibmcloud.com/vulnerabilities/50291
Products affected by CVE-2009-1596
-
cpe:2.3:a:igniterealtime:openfire:3.3.0
-
cpe:2.3:a:igniterealtime:openfire:3.3.1
-
cpe:2.3:a:igniterealtime:openfire:3.3.2
-
cpe:2.3:a:igniterealtime:openfire:3.3.3
-
cpe:2.3:a:igniterealtime:openfire:3.4.0
-
cpe:2.3:a:igniterealtime:openfire:3.4.1
-
cpe:2.3:a:igniterealtime:openfire:3.4.2
-
cpe:2.3:a:igniterealtime:openfire:3.4.3
-
cpe:2.3:a:igniterealtime:openfire:3.4.4
-
cpe:2.3:a:igniterealtime:openfire:3.4.5
-
cpe:2.3:a:igniterealtime:openfire:3.5.0
-
cpe:2.3:a:igniterealtime:openfire:3.5.1
-
cpe:2.3:a:igniterealtime:openfire:3.5.2
-
cpe:2.3:a:igniterealtime:openfire:3.6.0
-
cpe:2.3:a:igniterealtime:openfire:3.6.1
-
cpe:2.3:a:igniterealtime:openfire:3.6.2
-
cpe:2.3:a:igniterealtime:openfire:3.6.3
-
cpe:2.3:a:igniterealtime:openfire:3.6.4