Prosody · Prosody · CVE-2018-10847
**Name of the Vulnerable Software and Affected Versions**
Prosody versions prior to 0.10.2
Prosody version 0.9.14
**Description**
The issue allows for an authentication bypass. It occurs because Prosody does not verify that the virtual host associated with a user session remains the same across stream restarts. This means a user may authenticate to one XMPP host and then migrate their authenticated session to another XMPP host of the same Prosody instance.
**Recommendations**
For versions prior to 0.10.2, update to version 0.10.2 or later.
For version 0.9.14, consider upgrading to a newer version to mitigate the risk, as 0.9.14 is specifically mentioned as vulnerable.