CVE-2009-1596

medium

Description

Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/50291

http://www.igniterealtime.org/issues/browse/JM-1532

Details

Source: Mitre, NVD

Published: 2009-05-11

Updated: 2024-02-13

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N