It was discovered that Prosody 0.11.0 up to 0.11.9 exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the whois room configuration was set to anyone. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server.
It was discovered that Prosody 0.11.0 up to 0.11.9 exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the whois room configuration was set to anyone. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server.
https://prosody.im/security/advisory_20210722/ https://prosody.im/security/advisory_20210722/1.patch
Vulmon