RSS   Podatności dla 'Prosody'   RSS

2021-05-13
 
CVE-2021-32917

CWE-862
 

 
An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

 
 
CVE-2021-32919

CWE-295
 

 
An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled).

 
 
CVE-2021-32920

CWE-400
 

 
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.

 
2018-07-30
 
CVE-2018-10847

CWE-287
 

 
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

 
2018-05-09
 
CVE-2017-18265

CWE-noinfo
 

 
Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.

 
2016-01-29
 
CVE-2016-0756

 

 
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.

 
2016-01-12
 
CVE-2016-1232

 

 
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.

 
 
CVE-2016-1231

 

 
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.

 
2014-04-10
 
CVE-2014-2750

 

 
Prosody before 0.9.4, when mod_compression is enabled, allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka "zip bomb" attack.

 
 
CVE-2014-2745

CWE-264
 

 
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.

 


Copyright 2024, cxsecurity.com

 

Back to Top