Openfire's administrative console, a web-based
application, was found to be vulnerable to a path traversal attack
via the setup environment. This permitted an unauthenticated user
to use the unauthenticated Openfire Setup Environment in an already
configured Openfire environment to access restricted pages in the
Openfire Admin Console reserved for administrative users. This
vulnerability affects all versions of Openfire that have been
released since April 2015, starting with version 3.10.0. The problem
has been patched in Openfire release 4.7.5 and 4.6.8, and further
improvements will be included in the yet-to-be released first version
on the 4.8 branch (which is expected to be version 4.8.0). Users
are advised to upgrade. If an Openfire upgrade isnt available for
a specific release, or isnt quickly actionable, users may see the
linked github advisory (GHSA-gw42-f939-fhvm) for mitigation advice.