CVE-2009-1595
Igniterealtime Openfire < 3.6.3 - Authentication Bypass
Title source: ruleDescription
The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Daryl Herzmann · textremotemultiple
https://www.exploit-db.com/exploits/32967
References (8)
Scores
EPSS
0.0826
EPSS Percentile
92.1%
Classification
CWE
CWE-287
Status
draft
Affected Products (30)
igniterealtime/openfire
< 3.6.3
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
igniterealtime/openfire
... and 15 more
Timeline
Published
May 11, 2009
Tracked Since
Feb 18, 2026