QwikSec

Security Database

CVE

CWE

Training

CVE-2018-10847

Published: Jul 30, 2018

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

4.2

MEDIUM

Description

prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

Vendor	Product	Versions
[UNKNOWN]	prosody	affected `0.10.2` affected `0.9.14`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://issues.prosody.im/1147

x_refsource_CONFIRM

https://blog.prosody.im/prosody-0-10-2-security-release/

x_refsource_CONFIRM

vendor-advisory

x_refsource_DEBIAN

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10847

x_refsource_CONFIRM

https://prosody.im/security/advisory_20180531/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.