http://bugzilla.opensuse.org/show_bug.cgi?id=948960 Bug ID: 948960 Summary: CVE-2015-7707: openfire multiple privilege escalation issues Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other URL: https://igniterealtime.org/issues/browse/OF-941 OS: openSUSE 13.2 Status: NEW Severity: Critical Priority: P5 - None Component: 3rd party software Assignee: claes.backstrom@gmail.com Reporter: astieger@suse.com QA Contact: opensuse-communityscreening@forge.provo.novell.com CC: ecsos@schirra.net, maw@pobox.com, nix@opensuse.org, security-team@suse.de Found By: Security Response Team Blocker: --- Courtesy bug from the SUSE Security team for a community maintained package server:messaging/openfire: Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp.

From https://igniterealtime.org/issues/browse/OF-941

Openfire 3.10.2 Cross Site Request Forgery https://packetstormsecurity.com/files/133554/Openfire-3.10.2-Cross-Site-Requ... Openfire 3.10.2 Cross Site Scripting https://packetstormsecurity.com/files/133558/Openfire-3.10.2-Cross-Site-Scri... Openfire 3.10.2 Privilege Escalation https://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escal... Openfire 3.10.2 Remote File Inclusion https://packetstormsecurity.com/files/133560/Openfire-3.10.2-Remote-File-Inc... Openfire 3.10.2 Arbitrary File Upload https://packetstormsecurity.com/files/133561/Openfire-3.10.2-Arbitrary-File-... References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7707 http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt http://packetstormsecurity.com/files/133559/Openfire-3.10.2-Privilege-Escala... https://igniterealtime.org/issues/browse/OF-941 https://www.exploit-db.com/exploits/38190/ -- You are receiving this mail because: You are on the CC list for the bug.