CVE-2009-1596

Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.

Published: May 11, 2009
Updated: May 9, 2024
CVE: CVE-2009-1596
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-287
CWE-16

OWASP TOP 10:

A2 - Broken Authentication
A6 - Security Misconfiguration

Affected Software
References

Software	From	Fixed in
igniterealtime / openfire	-	3.6.5

http://secunia.com/advisories/34984
http://www.igniterealtime.org/community/message/190280
http://www.igniterealtime.org/issues/browse/JM-1532
http://www.osvdb.org/54189
http://www.securityfocus.com/bid/34804
https://exchange.xforce.ibmcloud.com/vulnerabilities/50291

Vulnerability Database

290,301

CVE-2009-1596