Matthew Wild

**Name of the Vulnerable Software and Affected Versions** Prosody (affected versions not specified) **Description** The issue is related to the implementation of the WebSocket server module for Jabber/XMPP in Prosody, which is associated with incorrect restriction of XML links to external objects. This can lead to a denial of service when exploited by a remote attacker. The problem arises from an internal Prosody library that loads XML based on libexpat, failing to properly restrict the allowed XML features in parsed XML data. As a result, it may allow the expansion of recursive entity references from DTDs and, depending on the libexpat version, potentially enable injections using XML External Entity References. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Prosody mod auth ldap and mod auth ldap2 Community Modules versions prior to 2020-01-27 **Description** The issue is related to the incomplete verification of the XMPP address passed to the `is admin()` function in the mod auth ldap and mod auth ldap2 Community Modules for Prosody. This can allow a remote entity to gain admin-only functionality if their username matches that of a local admin, potentially leading to unauthorized access to confidential data, disruption of data integrity, and denial of service. **Recommendations** For Prosody mod auth ldap and mod auth ldap2 Community Modules versions prior to 2020-01-27, update to a version released after 2020-01-27 to ensure proper verification of XMPP addresses and prevent unauthorized access. As a temporary workaround, consider restricting access to admin-only functionality until the update can be applied.