Igniterealtime Openfire
9 CVEs affecting Igniterealtime Openfire. Latest disclosed: 2026-01-26. Critical: 0, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-32315 | High | 8.6 | 2023-05-26 | Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerabl… |
CVE-2014-3451 | High | 7.5 | 2017-08-18 | OpenFire XMPP Server before 3.10 accepts self-signed certificates, which allows remote attackers to perform unspecified spoofing attacks. |
CVE-2020-36956 | Medium | 6.4 | 2026-01-26 | Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' p… |
CVE-2025-59154 | Medium | 5.9 | 2025-09-15 | Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerabi… |
CVE-2017-15911 | Medium | 4.8 | 2017-10-26 | The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/s… |
CVE-2015-7707 | | 2015-10-05 | Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp. | |
CVE-2015-6973 | | 2015-09-16 | Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to hijack the authentication of administra… | |
CVE-2015-6972 | | 2015-09-16 | Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1… | |
CVE-2014-2741 | | 2014-04-11 | nio/XMLLightweightParser.java in Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remot… |