CVE-2021-37601 log

Severity Medium
Remote Yes
Type Information disclosure
It was discovered that Prosody 0.11.0 up to 0.11.9 exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the whois room configuration was set to anyone. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server.
Group Package Affected Fixed Severity Status Ticket
AVG-2237 prosody 1:0.11.9-2 1:0.11.10-1 Medium Fixed FS#71641
Date Advisory Group Package Severity Type
10 Aug 2021 ASA-202108-11 AVG-2237 prosody Medium information disclosure