Synopsis :

The remote host contains an application that is affected by a remote
password change vulnerability.

Description :

The remote host is running Openfire / Wildfire, an instant messaging
server supporting the XMPP protocol.

According to its version, the installation of Openfire or Wildfire
fails to verify the owner of the account before changing the password
for the account in response to an 'iq:auth' request. An authenticated
attacker can exploit this vulnerability to change the passwords for
arbitrary Openfire / Wildfire user accounts.

See also :

http://www.igniterealtime.org/community/message/190280
http://www.igniterealtime.org/issues/browse/JM-1531

Solution :

Upgrade to Openfire version 3.6.4 or later.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score : 5.4
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true