Openfire Admin Console Authentication Bypass

vendor:

Openfire

by:

Andreas Kurtz, h0ng10

N/A

CVSS

N/A

Authentication Bypass

287

CWE

Product Name: Openfire

Affected Version From: 3.6.0a

Affected Version To: 3.6.0a

Patch Exists: YES

Related CWE: CVE-2008-6508

CPE: a:igniterealtime:openfire

Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-6508/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2008

Openfire Admin Console Authentication Bypass

This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java code. This module has been tested against Openfire 3.6.0a.

Mitigation:

Update to the latest version of Openfire

Source

Openfire Admin Console Authentication Bypass

Mitigation:

Exploit-DB raw data: