Devakrherz

Name of the Vulnerable Software and Affected Versions: Openfire versions prior to 3.6.4 Description: The issue allows remote authenticated users to change the passwords of arbitrary accounts via a modified `username` element in a `passwd change` action. This is due to a flaw in the `jabber:iq:auth` implementation in `IQAuthHandler.java`. Recommendations: For versions prior to 3.6.4, update to version 3.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `passwd change` action to prevent unauthorized password changes.

Name of the Vulnerable Software and Affected Versions: Openfire versions prior to 3.6.5 Description: The issue is related to the improper implementation of the `register.password` (also known as `canChangePassword`) console configuration setting. This allows remote authenticated users to bypass the intended policy and change their own passwords via a `passwd change` IQ packet. Recommendations: For versions prior to 3.6.5, update to version 3.6.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `passwd change` IQ packet to minimize the risk of exploitation.