The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Openfire | Igniterealtime | 3.2.2 | 3.2.2 |
Openfire | Igniterealtime | * | 3.6.3 |
Openfire | Igniterealtime | 3.4.2 | 3.4.2 |
Openfire | Igniterealtime | 3.0.0 | 3.0.0 |
Openfire | Igniterealtime | 3.0.1 | 3.0.1 |
Openfire | Igniterealtime | 3.2.1 | 3.2.1 |
Openfire | Igniterealtime | 3.4.4 | 3.4.4 |
Openfire | Igniterealtime | 3.1.0 | 3.1.0 |
Openfire | Igniterealtime | 3.4.0 | 3.4.0 |
Openfire | Igniterealtime | 3.6.0 | 3.6.0 |
Openfire | Igniterealtime | 3.2.3 | 3.2.3 |
Openfire | Igniterealtime | 3.4.5 | 3.4.5 |
Openfire | Igniterealtime | 3.3.2 | 3.3.2 |
Openfire | Igniterealtime | 3.2.0 | 3.2.0 |
Openfire | Igniterealtime | 3.5.0 | 3.5.0 |
Openfire | Igniterealtime | 3.4.3 | 3.4.3 |
Openfire | Igniterealtime | 2.6.1 | 2.6.1 |
Openfire | Igniterealtime | 3.6.1 | 3.6.1 |
Openfire | Igniterealtime | 3.6.0a | 3.6.0a |
Openfire | Igniterealtime | 3.6.2 | 3.6.2 |
Openfire | Igniterealtime | 2.6.0 | 2.6.0 |
Openfire | Igniterealtime | 2.6.2 | 2.6.2 |
Openfire | Igniterealtime | 3.1.1 | 3.1.1 |
Openfire | Igniterealtime | 3.5.2 | 3.5.2 |
Openfire | Igniterealtime | 3.3.3 | 3.3.3 |
Openfire | Igniterealtime | 3.5.1 | 3.5.1 |
Openfire | Igniterealtime | 3.2.4 | 3.2.4 |
Openfire | Igniterealtime | 3.3.0 | 3.3.0 |
Openfire | Igniterealtime | 3.4.1 | 3.4.1 |