A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attackers to send arbitrary HTTP GET requests.
https://securityaffairs.com/165607/cyber-crime/crystalray-operations-scaled-10x.html