Openfire < 3.6.4 Arbitrary Password Manipulation

Medium Nessus Network Monitor Plugin ID 5018


The remote server can be tricked into modifying user credentials


The remote host is running Openfire / Wildfire, an instant messaging server supporting the XMPP protocol. According to its version, the installation of Openfire or Wildfire is affected by a vulnerability which would allow a remote attacker to change the password of any users. In particular, input sent to the 'passwd_change' parameter of the jabber: iq: auth routine is not sufficiently sanitized. An attacker, exploiting this flaw, would be able to gain access to any user account.


Upgrade to Openfire version 3.6.4 or later.

See Also

Plugin Details

Severity: Medium

ID: 5018

Family: CGI

Published: 2004/08/18

Modified: 2018/07/11

Dependencies: 1442

Risk Information

Risk Factor: Medium


Base Score: 6.5

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C


Base Score: 6.3

Temporal Score: 5.9


Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:igniterealtime:openfire

Reference Information

CVE: CVE-2009-1595, CVE-2009-1596

BID: 34804