Openfire is an XMPP server licensed under the Open Source Apache License. Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. If an Openfire upgrade isn’t available for a specific release, or isn’t quickly actionable, users may see the linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
igniterealtime openfire |
Chinese Earth Krahang hackers breach 70 orgs in 23 countries By Bill Toulas March 18, 2024 04:49 PM 0 A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat (APT) group known as 'Earth Krahang' has breached 70 organizations and targeted at least 116 across 45 countries. According to Trend Micro researchers monitoring the activity, the campaign has been underway since early 2022 and focuses primarily on government organizations. Specifically, the hackers have compromi...
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data. Quarterly figures According to Kaspersky Security Network, in Q3 2023: Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe. A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus components. Attempts to run malware for stealing money from online bank accounts were stopped on the com...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Plus potential links to I-Soon, researchers say
Chinese cyberspies have compromised at least 70 organizations, mostly government entities, and targeted more than 116 victims across the globe, according to security researchers. The Beijing-backed hacking crew, dubbed Earth Krahang, exploits public-facing servers and uses phishing emails to deploy two custom backdoors, according to Trend Micro, which has been monitoring the cyberespionage campaign since early 2022. "One of the threat actor's favorite tactics involves using its malicious a...