Openfire < 3.6.4 jabber:iq:auth Crafted password_change Request Password Manipulation

medium Nessus Plugin ID 38688


The remote host contains an application that is affected by a remote password change vulnerability.


The remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol.

According to its version, the installation of Openfire or Wildfire fails to verify the owner of the account before changing the password for the account in response to an 'iq:auth' request. An authenticated attacker can exploit this vulnerability to change the passwords for arbitrary Openfire / Wildfire user accounts.


Upgrade to Openfire version 3.6.4 or later.

See Also

Plugin Details

Severity: Medium

ID: 38688

File Name: openfire_3_6_4.nasl

Version: 1.14

Type: remote

Family: CGI abuses

Published: 5/5/2009

Updated: 1/19/2021

Configuration: Enable paranoid mode

Risk Information


Risk Factor: Medium

Score: 5.5


Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: E:POC/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:igniterealtime:openfire

Required KB Items: Settings/ParanoidReport

Exploit Ease: No exploit is required

Reference Information

CVE: CVE-2009-1595

BID: 34804

Secunia: 34976

CWE: 287