CVE-2009-1596

EUVD-2009-1591
Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
Affected Products (NVD)
VendorProductVersion
igniterealtimeopenfire
𝑥
< 3.6.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://secunia.com/advisories/34984
http://www.igniterealtime.org/community/message/190280
http://www.igniterealtime.org/issues/browse/JM-1532
http://www.osvdb.org/54189
http://www.securityfocus.com/bid/34804
https://exchange.xforce.ibmcloud.com/vulnerabilities/50291
http://secunia.com/advisories/34984
http://www.igniterealtime.org/community/message/190280
http://www.igniterealtime.org/issues/browse/JM-1532
http://www.osvdb.org/54189
http://www.securityfocus.com/bid/34804
https://exchange.xforce.ibmcloud.com/vulnerabilities/50291