Test ID:	1.3.6.1.4.1.25623.1.0.800718
Category:	Web application abuses
Title:	Openfire < 3.6.5 Security Bypass Vulnerabilities
Summary:	Openfire is prone to multiple security bypass vulnerabilities.
Description:	Summary: Openfire is prone to multiple security bypass vulnerabilities. Vulnerability Insight: - An error exists in the 'jabber:iq:auth' implementation in the IQAuthHandler.java File via a modified username element in a passwd_change action. - An error due to improper implementation of 'register.password' console configuration settings via a passwd_change IQ packet. Vulnerability Impact: Successful exploitation will let the attacker change the passwords of arbitrary accounts via a modified username element in a passwd_change action or can bypass intended policy and change their own passwords via a passwd_change IQ packet or will let the attacker bypass intended policy and change their own passwords via a passwd_change IQ packet. Affected Software/OS: Openfire prior to version 3.6.5. Solution: Update to version 3.6.5 or later. CVSS Score: 4.0 CVSS Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-1595 BugTraq ID: 34804 http://www.securityfocus.com/bid/34804 http://osvdb.org/54189 http://secunia.com/advisories/34976 http://www.vupen.com/english/advisories/2009/1237 XForce ISS Database: openfire-jabberiqauth-security-bypass(50292) https://exchange.xforce.ibmcloud.com/vulnerabilities/50292 Common Vulnerability Exposure (CVE) ID: CVE-2009-1596 http://www.osvdb.org/54189 http://secunia.com/advisories/34984 XForce ISS Database: openfire-nopassword-security-bypass(50291) https://exchange.xforce.ibmcloud.com/vulnerabilities/50291
Copyright	Copyright (C) 2009 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.