Prosody: >> Prosody >> 0.9.4 Security Vulnerabilities
Prosody before 0.10.0 allows remote attackers to cause a denial of service (application crash), related to an incompatibility with certain versions of the LuaSocket library, such as the lua-socket package from Debian stretch. The attacker needs to trigger a stream error. A crash can be observed in, for example, the c2s module.
CVSS Score
7.5
EPSS Score
0.011
Published
2018-05-09
The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.
CVSS Score
5.3
EPSS Score
0.007
Published
2016-01-29
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.
CVSS Score
7.5
EPSS Score
0.007
Published
2016-01-12
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.
CVSS Score
5.9
EPSS Score
0.007
Published
2016-01-12
Page 2